Re: snort- problems
From: Alfredo Octavio (aov_at_primeordeal.com)
Date: 08/06/03
- Previous message: Tom Arseneault: "RE: IDS is dead, etc"
- In reply to: Rishi Pande: "snort- problems"
- Next in thread: Evans, Arian: "RE: snort- problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Aug 2003 13:59:44 -0400 To: focus-ids@securityfocus.com
There is an obvious false positive, it is when a user or a program
issues an id command, if you are using Mac OS X and do not have root
activated (which you shouldn't), then you can safely ignored this
alerts.
About your other problem I am not sure. Normal snort configuration
should be scanning your whole subnet. There must be something in the
network config (a blocked switch?) not permitting it...
Ciao,
aov
On Wednesday, August 6, 2003, at 10:52 AM, Rishi Pande wrote:
> 2) Last night I had a bunch of alerts pop-up which said
> "ATTACK-RESPONSES id check returned root"; content: "uid=0(root)"
> Snort's signature database said this was an indication of an attacker
> gaining super user access to the system and that there are no known
> false positives. The alert also mentioned that the source for the
> attacks were port 80 on IPs belonging to websites I had open(Snort and
> SANS) I ran netstat to check if the ports they were connecting to had
> established a connection but none of the ports mentioned showed any
> connections. I also NMAPped the machine and it showed only the expected
> ports to be open.
---- You probably wouldn't worry about what people think of you if you could know how seldom they do. - Olin Miller ---- Alfredo Octavio PGP Key ID: 0x6531FC6D mailto: alfredo@octavio.net http://alfredo.octavio.net/ At: N 10вк29.809', W 066вк49.480' ----- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
- Previous message: Tom Arseneault: "RE: IDS is dead, etc"
- In reply to: Rishi Pande: "snort- problems"
- Next in thread: Evans, Arian: "RE: snort- problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
