Rule:--Sid:1332--Summary:Attempted id command access via web--Impact:Attempt to gain information on users and groups that exist on the hostusing the id command.--Detailed Information:This is an attempt to gain intelligence about the users on a host. "id"is a UNIX command that will return information about the system's usersand groups. This information is valuable to an attacker who can use itto plan further attacks based on the users possible login information orbe more effective in targeting specific users and groups who possesselevated privileges . The id command will return information on theuser, the groups the user belings to and the users' "gid" and "uid".The rule looks for the "id" command in the client to web server networktraffic and does not indicate whether the command was actuallysuccessful in showing the user information. The presence of the "id"command web traffic indicates that an attacker attempted to trick theweb server into executing system in non-interactive mode i.e. without avalid shell session. Alternatively this rule may trigger in an unencrypted HTTP tunnelingconnection to the server or a shell connection via another exploitagainst the web server.--Attack Scenarios:1. The attacker can make a standard HTTP request that contains'/usr/bin/id' in the URI which can then return sensitive information ongroups and users present on the host. 2. This command may also be requested on a command line should theattacker gain access to the machine.3. An attacker uses a "id" command via a web server connection to testwhat username the web server runs under. He then looks for all the fileswritable by this user and find a web server configuration file withwrong permissions.--Ease of Attack:Simple HTTP request.--False Positives:None Known--False Negatives:None Known--Corrective Action:Webservers should not be allowed to view or execute files and binariesoutside of it's designated web root or cgi-bin. --Contributors:Sourcefire Research TeamNigel Houghton <nigel.houghton@sourcefire.com>Additional information from Anton Chuvakin <http://www.chuvakin.org>-- Additional References:sid: 1333man id--