Re: id check returned root ?!?!

["Michael D. Schleif" <mds () helices org>]

Also sprach Erek Adams (Sat 28 Jun 02003 at 03:29:12PM -0400):
> On Sat, 28 Jun 2003, Michael D. Schleif wrote:
>
> > I am fairly new to snort, and I've just begun analyzing my logs.
> >
> > I have my home office network, from which I am writing this post, that
> > is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150
> >
> > I also have a web/email server hosted by tera-byte.com: 216.234.189.108
> >
> > Last week I received several of these:
> >
> > 4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned root
> >
> >
> > Now, I have come to realize that this is a dangerous situation.
> >
> > I run chkrootkit daily and have _nothing_ to report.
> >
> > What should I do?
>
> Look at the packet not the alert.  From an alert you really can't tell
> what happened, only that something did.
>
> If you're logging to binary (pcap) to get the packet it's as simple as:
>
>       snort -dvr <pcap_filename> 'host 216.234.189.108' |less
>
> And that will show you all the packets that it could have been.
>
> Now the fun part:  Figuring out what went on.  :)  You may find out that
> this is a normal packet from a webmail application or somehting of the
> sort.
>
> If you're not logging to binary, well...  Either start and look at the
> packets or 'hope'.  :)

    # sudo snort -V

    -*> Snort! <*-
    Version 2.0.0 (Build 72)
    By Martin Roesch (roesch () sourcefire com, www.snort.org)


Regarding ``logging to binary'', I am running snort from a debian
package, and by default /etc/snort/snort.conf has this enabled:

        output log_tcpdump: tcpdump.log

This creates these files:

        /var/log/snort/tcpdump.log._timestamp_

Examining these for the string `id=' does show me that every logged
instance, in context, is a security related email and all instances of
`id=' are really either `gid=' or `uid='.

I am relieved about that ;>

I was going to start a new thread, in this regard; but, your post gives
me pause and I suspect that my new question is applicable to this same
thread ;>

What is the difference between the snort.conf log_tcpdump line and the
commandline: -b ???

        ``Log packets in a tcpdump(1) formatted file.''

This morning, I activated -b and now I am getting a new sequence of
files:

        /var/log/snort/snort.log._timestamp_

Although, this log now contains a couple events, there is *NO* new
activity in tcpdump.log._timestamp_ .

What do you think?

-- 
Best Regards,

mds
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

Attachment: _bin
Description: