Rule:  

--
Sid:
498

-- 

Summary: 
This event is generated by the use of a UNIX "id" command. This may be 
indicative of post-compromise behavior where the attacker is checking 
for super user privileges gained by a sucessful exploit against a 
vulnerable system.

-- 
Impact: 
Serious. An attacker may have gained super user access to the system.

--
Detailed Information:
This event is generated when a UNIX "id" command is used to confirm the
user name of the currenly logged in user over an unencrypted connection. 
This connection can either be a legitimate telnet connection or the
result of spawning a remote shell as a consequence of a successful
network exploit. 

The string "uid=0(root)" is an output of an "id" command indicating that
the user has "root" privileges.  Seeing such a response indicates that
some user, connected over the network to a target server, has root privileges.

--

Attack Scenarios: 
A buffer overflow exploit against an FTP server results in "/bin/sh"
being executed. An automated script performing an attack, checks for the
success of the exploit via an "id" command.

-- 

Ease of Attack: 
Simple. This may be post-attack behavior and can be indicative of the
successful exploitation of a vulnerable system.

-- 

False Positives: 
This rule will generate an event if a legitimate system administrator
executes the "id" command over an unencrypted connection to verify the
privilege level available to him.

This rule may also generate event by viewing the documentation on
snort.org or any other security related web site which may contain
details on this issue.

The web site www.bugtraq.org serves a non-standard HTTP header of the
form "X-Mandatory-Snort-Alert: *GOBBLE* uid=65534(nobody) uid=0(root)"
browsing this site will generate an event.

--
False Negatives:
None Known

-- 

Corrective Action: 
Ensure that this event was not generated by a legitimate session then
investigate the server for signs of compromise

Look for other events generated by the same IP addresses.

--
Contributors: 
Original rule writer unknown
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Additional false positive information contributed by Arnd Fischer

-- 
Additional References:

--
