Rule:  --Sid:649--Summary:Shellcode to set the group identity to 0 (root) was detected.--Impact:If this code is executed successfully, it is possible for the currentprocess to inherity root group privledges.  --Detailed Information:Snort detected data resembling the x86 assembly code to change thegroup identity to 0.  --Affected Systems: --Attack Scenarios:As part of an attack on a remote service, an attacker may attempt totake advantage of insecure coding practices and execute code of his orher choosing through techniques known as 'buffer-overflows','format-strings' and others.  Such attacks may contain code to changethe identity of the current group to that of the root group (setgid0).  --Ease of Attack:Non-trivial.  Shellcode (and just x86 assembly code in general)requires a fairly intimate knowledge of computer architecture, memorystructures, and many concepts that are part of the more arcane areasof computing.  Furthermore, if this was in fact an attack, theattacker needs to have a good idea of the design of the both theprogram and the system that he or she is attacking. The x86 setgidcall itself is not particularly difficult, and by itself is notharmful.  However, combined with other carefuly aimed shellcode, itcan be quite lethal.--False Positives:Fairly high.  Large binary transfers, certain web traffic, and evenmail traffic can trigger this rule, but are not necessarily indicativeof actual setgid code.--False Negatives:None Known--Corrective Action:Determine what stream of traffic generated this particular alert.  Ifyou only have the alert but not the entire packet, examine system forpecularities.  If you are smart and have the entire packet (or betteryet, all your traffic for the past n hours), attempt to determine ifthis particular sequence of characters was part of an innocent streamof data (large binary transfers, for example) or part of a maliciousact against your machine.  In either case, check for other activityfrom the host in question -- both currently collected traffic andtraffic in the future.--Contributors:Original rule writer unknownOriginal document author unkownSourcefire Vulnerability Research TeamNigel Houghton <nigel.houghton@sourcefire.com>Jon Hart <warchild@spoofed.org>-- Additional References:--