Snort mailing list archives
Re: Rules question
From: dr.kaos <dr.kaos () kaos to>
Date: Thu, 14 Feb 2002 14:34:14 -0500
On Thursday 14 February 2002 12:22 pm, Matt Kettler wrote: [...snip...]
Look at the rule: attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown; sid:498; re v:2;) (I inserted *** in the content section, otherwise this very email will set off the rule) So any TCP connection, in any direction, which is connected and has that text string in it will trigger.
see below...
So text downloading the rules file in uncompressed form will trigger it. Emails quoting the rule will trigger it (unless modified like this one) Some OS install/setup/security discussions on websites, email and news will set it off..
Specifically, a recent e-mail posted to Bugtraq regarding an Ettercap root vulnerability triggered it during a pop of one of my mailboxes. I bet this was the reason for the original question... ./dr.kaos _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules question Bastian Ballmann (Feb 14)
- <Possible follow-ups>
- Re: Rules question Matt Kettler (Feb 14)
- Re: Rules question dr . kaos (Feb 14)