File: 1882.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (79 lines) | stat: -rw-r--r-- 2,123 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Rule:  

--
Sid: 1882

-- 

Summary: 
This event is generated by the use of a UNIX "id" command. This may be 
indicative of post-compromise behavior where the attacker is checking 
for super user privileges gained by a sucessful exploit against a 
vulnerable system.

-- 
Impact: 
Serious. An attacker may have gained user access to the system.

--
Detailed Information:
This event is generated when a UNIX "id" command is used to confirm the 
user name of the currenly logged in user over an unencrypted connection. 
This connection can either be a legitimate telnet connection or the 
result of spawning a remote shell as a consequence of a successful 
network exploit. 

The string "uid=" is an output of an "id" command indicating that a 
check is being made on the users current id.

--

Attack Scenarios: 
A buffer overflow exploit against an FTP server results in "/bin/sh" 
being executed. An automated script performing an attack, checks for the
success of the exploit via an "id" command.

-- 

Ease of Attack: 
Simple. This may be post-attack behavior and can be indicative of the 
successful exploitation of a vulnerable system.

-- 

False Positives: 
This rule will generate an event if a legitimate system administrator 
executes the "id" command over an unencrypted connection to verify the 
privilege level available to him.

This rule may generate false positive events when some servers return 
error messages that include uid and gid information. Qmail is one such 
server application.

This rule may also generate event by viewing the documentation on 
snort.org.

--
False Negatives:
None Known

-- 

Corrective Action: 
Ensure that this event was not generated by a legitimate session then 
investigate the server for signs of compromise

Look for other events generated by the same IP addresses.

--
Contributors: 
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
Additional false positive information from Javier Fernandez-Sanguino

-- 
Additional References:

--