Snort mailing list archives
Re: Test question
From: Paul Cardon <paul () moquijo com>
Date: Sun, 16 Dec 2001 22:50:36 -0500
Greg Herlein wrote:
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)Interesting - this email exchange triggered this rule in my system, giving me a moment's heart palpatation. :) It saw it on port 25 - so I knew it was either legit email, or a new hack of sendmail. I'll probably add a new rule to turn this off if on port 25 or I'll get more similar false positives. I'm not sure how to trigger on it on port 25 if it's not in email.... gotta think about that.
Think about this. It was triggered when you saw it with a source of $EXTERNAL_NET and a destination of $HOME_NET. Do you care about it coming inbound? Swap the source and destination and you are more likely to trigger on a real compromise. Or you could just be replying to this e-mail. ;^)
-paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Test question, (continued)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Erik Fichtner (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)