Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Test question

From: Jose Celestino <japc () co sapo pt>
Date: Mon, 17 Dec 2001 02:20:28 +0000
Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700:


Here is a rule from attack-responses.rules int the 1.8.3 release:

alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; 
classtype:bad-unknown; sid:498; rev:2;)

I'd like to compliment the person who developed this rule.

Secondly, I'd like to propose a question to tickle your fancy.

If the second any were 22, and the first any was on your network, what 
would the classtype be?  Extra credit.  Fill in the blanks.



And how the hell did you intended to get a "uid=0(root)" out of an
suposely encrypted connection?


  systems are being compromised via the ___-__ ___________ ______ ________
  _____________ 

Later,

Phil


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Jose Celestino <japc () co sapo pt>
---------------------------------
Systems Administration || Operations
SAPO - PT Multimedia || http://www.sapo.pt


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: