Re: snort- problems

From: Alfredo Octavio (
Date: 08/06/03

  • Next message: Evans, Arian: "RE: snort- problems"
    Date: Wed, 6 Aug 2003 13:59:44 -0400

    There is an obvious false positive, it is when a user or a program
    issues an id command, if you are using Mac OS X and do not have root
    activated (which you shouldn't), then you can safely ignored this
    About your other problem I am not sure. Normal snort configuration
    should be scanning your whole subnet. There must be something in the
    network config (a blocked switch?) not permitting it...

    On Wednesday, August 6, 2003, at 10:52 AM, Rishi Pande wrote:

    > 2) Last night I had a bunch of alerts pop-up which said
    > "ATTACK-RESPONSES id check returned root"; content: "uid=0(root)"
    > Snort's signature database said this was an indication of an attacker
    > gaining super user access to the system and that there are no known
    > false positives. The alert also mentioned that the source for the
    > attacks were port 80 on IPs belonging to websites I had open(Snort and
    > SANS) I ran netstat to check if the ports they were connecting to had
    > established a connection but none of the ports mentioned showed any
    > connections. I also NMAPped the machine and it showed only the expected
    > ports to be open.

    You probably wouldn't worry about what people think of you if you could 
    know how seldom they do.
      - Olin Miller
    Alfredo Octavio						
    PGP Key ID: 0x6531FC6D
    At: N    10вк29.809', W 066вк49.480'
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:

  • Next message: Evans, Arian: "RE: snort- problems"

    Relevant Pages

    • Re: [Full-disclosure] Brute force attack - need your advice
      ... But please state a config that someone with experience can not get into, is more of a point that security is ever evolving. ... Yup it is security by obscurity and it will help against a script kiddie that won't take the time to scan all ports, thats why I suggested move to a high non-standard port. ... I'm not talking about downloading blacklists but dynamic firewall rules and scripting to achieve a dynamic list based on ranking of attacks against the box. ...
    • Re: Scanning Class A network
      ... >network to identify hosts and ports exposed to the Internet. ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    • Re: issues with Intel Pro/1000 and 1000baseTX
      ... It's connected to a HP Procurve 1700-24 switch which supports 1000baseTX on ... much older end user system which uses the same card, ... problem connecting at 1000baseTX. ... I have of course tried switching ports. ...
    • RE: Scanning Class A network
      ... The network you're scanning will have changed significantly in the time ... Assuming you could build a cluster to check 100,000 ports per second, ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    • Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)
      ... that listening ports on the proxy-firewall. ... The only attacks you're mitigating ... There are about a million ways I can get a malicious WMF to ...