Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Discussion of sid498 triggers sid498 :-)

From: James Garrison <jhg () athensgroup com>
Date: Fri, 30 Nov 2001 11:02:07 -0600
There was a recent posting to the list about sid498.  This rule looks
for a particular string "uid=0[root]", which was contained in the
posting.  This triggered the rule (I changed the parentheses to 
brackets to avoid triggering it again with this message).  I think
this is a good rule, and the occasional false positive is worth the
minor annoyance.

-- 
James Garrison                                Athens Group, Inc.
mailto:jhg () athensgroup com                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C         (512) 345-0600 x150

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: