On Fri, 1 Feb 2002, John Daniele wrote:
>
>
> I may be totally wrong on this, but I thought id check is logged when the
> output of 'id' is detected within traffic, i.e.: uid=(root), gid=0(wheel).
>
You are correct. Of course, this behavior could be replicated by anything
that provokes that type of reply. A good rule of thumb would be for him to
audit the server this traffic is coming from, and look for current
holes. You will either be catching some kiddie who just ./hacked you and
ran `id` or some user who used telnet when they should be using
ssh... They should NOT be su'ing to root across telnet.
Here is the rule for clarification:
alert tcp any any -> any any (msg:"INFO id check returned
root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:1;)
Hope that helps.
Digital Ebola
[EMAIL PROTECTED]
http://wintermute.legions.org/~digi/
