Rule: -- Sid: 1882 -- Summary: This event is generated by the use of a UNIX "id" command. This may be indicative of post-compromise behavior where the attacker is checking for super user privileges gained by a sucessful exploit against a vulnerable system. -- Impact: Serious. An attacker may have gained user access to the system. -- Detailed Information: This event is generated when a UNIX "id" command is used to confirm the user name of the currenly logged in user over an unencrypted connection. This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. The string "uid=" is an output of an "id" command indicating that a check is being made on the users current id. -- Attack Scenarios: A buffer overflow exploit against an FTP server results in "/bin/sh" being executed. An automated script performing an attack, checks for the success of the exploit via an "id" command. -- Ease of Attack: Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. -- False Positives: This rule will generate an event if a legitimate system administrator executes the "id" command over an unencrypted connection to verify the privilege level available to him. This rule may generate false positive events when some servers return error messages that include uid and gid information. Qmail is one such server application. This rule may also generate event by viewing the documentation on snort.org. -- False Negatives: None Known -- Corrective Action: Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise Look for other events generated by the same IP addresses. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org> Additional false positive information from Javier Fernandez-Sanguino -- Additional References: --