[Dshield] Rating Attackers

Johannes Ullrich jullrich at sans.org
Fri Aug 2 13:48:56 GMT 2002

> alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned
> root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)

this rules will flag any packet, from any port to any port that contains
the magic string 'uid=0(root)'. 

> So it's the "any any" "any any" that's the problem.

depends a lot on your system. I would almost consider removing
the rule, or at least log it silent (no alerts, just log the packet
in case you want to look at it later).

> So I should have "$HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any" --

no. thats probably not good. There are two intentions for this rule:
- notify you if someone just made it into your system
- notify you if someone from your network just hacked somebodies system.

so port 80 (HTTP_PORTS) is just one of the ports this rule may apply
too. I think, depending on the scenario you are concerned about, limit
the direction to '$HOME', '$HTTP_SERVERS' or '! $HOME'.

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

More information about the list mailing list