Re: Test question

[Paul Cardon <paul () moquijo com>]

Greg Herlein wrote:

> > > alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; 
> > > classtype:bad-unknown; sid:498; rev:2;)
>
> Interesting - this email exchange triggered this rule in my
> system, giving me a moment's heart palpatation.  :)  It saw it on
> port 25 - so I knew it was either legit email, or a new hack of
> sendmail.
>
> I'll probably add a new rule to turn this off if on port 25 or
> I'll get more similar false positives.  I'm not sure how to
> trigger on it on port 25 if it's not in email....  gotta think
> about that.



Think about this.  It was triggered when you saw it with a source of 
$EXTERNAL_NET and a destination of $HOME_NET.  Do you care about it 
coming inbound?  Swap the source and destination and you are more likely 
to trigger on a real compromise. Or you could just be replying to this 
e-mail.  ;^)

-paul



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users