Snort mailing list archives
Re: Test question
From: Phil Wood <cpw () lanl gov>
Date: Mon, 17 Dec 2001 14:12:18 -0700
As far as I'm concerned, you all passed in one way or another. %^) With the exception of myself who should have suggested that the rule and possibly others be modified to avoid triggering the very same rule! pass tcp any any -> any 25 (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(|726F6F74|)"; classtype:bad-unknown; sid:498; rev:2;) or even pass tcp any any -> any 25 (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=|30|(root)"; classtype:bad-unknown; sid:498; rev:2;) Later, -- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Test question, (continued)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)
- RE: Test question Ryan Russell (Dec 18)