Snort mailing list archives
Re: Test question
From: Greg Herlein <gherlein () herlein com>
Date: Sun, 16 Dec 2001 19:35:52 -0800 (PST)
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)
Interesting - this email exchange triggered this rule in my system, giving me a moment's heart palpatation. :) It saw it on port 25 - so I knew it was either legit email, or a new hack of sendmail. I'll probably add a new rule to turn this off if on port 25 or I'll get more similar false positives. I'm not sure how to trigger on it on port 25 if it's not in email.... gotta think about that. Greg _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Test question Phil Wood (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- <Possible follow-ups>
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)