Snort mailing list archives
Discussion of sid498 triggers sid498 :-)
From: James Garrison <jhg () athensgroup com>
Date: Fri, 30 Nov 2001 11:02:07 -0600
There was a recent posting to the list about sid498. This rule looks for a particular string "uid=0[root]", which was contained in the posting. This triggered the rule (I changed the parentheses to brackets to avoid triggering it again with this message). I think this is a good rule, and the occasional false positive is worth the minor annoyance. -- James Garrison Athens Group, Inc. mailto:jhg () athensgroup com 5608 Parkcrest Dr http://www.athensgroup.com Austin, TX 78731 PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Discussion of sid498 triggers sid498 :-) James Garrison (Nov 30)