Snort mailing list archives
Re: id check returned root ?!?!
From: "Michael D. Schleif" <mds () helices org>
Date: Sat, 28 Jun 2003 15:37:29 -0500
Also sprach Erek Adams (Sat 28 Jun 02003 at 03:29:12PM -0400):
On Sat, 28 Jun 2003, Michael D. Schleif wrote:I am fairly new to snort, and I've just begun analyzing my logs. I have my home office network, from which I am writing this post, that is NAT'ed behind an ipchains firewall. This system is: 192.168.123.150 I also have a web/email server hosted by tera-byte.com: 216.234.189.108 Last week I received several of these: 4 216.234.189.108 192.168.123.150 ATTACK RESPONSES id check returned root Now, I have come to realize that this is a dangerous situation. I run chkrootkit daily and have _nothing_ to report. What should I do?Look at the packet not the alert. From an alert you really can't tell what happened, only that something did. If you're logging to binary (pcap) to get the packet it's as simple as: snort -dvr <pcap_filename> 'host 216.234.189.108' |less And that will show you all the packets that it could have been. Now the fun part: Figuring out what went on. :) You may find out that this is a normal packet from a webmail application or somehting of the sort. If you're not logging to binary, well... Either start and look at the packets or 'hope'. :)
# sudo snort -V -*> Snort! <*- Version 2.0.0 (Build 72) By Martin Roesch (roesch () sourcefire com, www.snort.org) Regarding ``logging to binary'', I am running snort from a debian package, and by default /etc/snort/snort.conf has this enabled: output log_tcpdump: tcpdump.log This creates these files: /var/log/snort/tcpdump.log._timestamp_ Examining these for the string `id=' does show me that every logged instance, in context, is a security related email and all instances of `id=' are really either `gid=' or `uid='. I am relieved about that ;> I was going to start a new thread, in this regard; but, your post gives me pause and I suspect that my new question is applicable to this same thread ;> What is the difference between the snort.conf log_tcpdump line and the commandline: -b ??? ``Log packets in a tcpdump(1) formatted file.'' This morning, I activated -b and now I am getting a new sequence of files: /var/log/snort/snort.log._timestamp_ Although, this log now contains a couple events, there is *NO* new activity in tcpdump.log._timestamp_ . What do you think? -- Best Regards, mds - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
Attachment:
_bin
Description:
Current thread:
- id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)
- Re: id check returned root ?!?! james (Jun 28)
- Re: id check returned root ?!?! Nicholas Delo (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Frank Knobbe (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)