Snort mailing list archives
Re: Test question
From: Paul Cardon <paul () moquijo com>
Date: Sun, 16 Dec 2001 22:13:35 -0500
Jose Celestino wrote:
Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700:Here is a rule from attack-responses.rules int the 1.8.3 release: alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;) I'd like to compliment the person who developed this rule. Secondly, I'd like to propose a question to tickle your fancy.If the second any were 22, and the first any was on your network, what would the classtype be? Extra credit. Fill in the blanks.
ouch. successful-admin
And how the hell did you intended to get a "uid=0(root)" out of an suposely encrypted connection?
Wow, Jose. You just flunked the test. Good thing this was a practice run. ;^)
systems are being compromised via the ___-__ ___________ ______ _____________________
CRC-32 Compensation Attack Detector Vulnerability http://www.cert.org/advisories/CA-2001-35.htmlI won't take points off Phil for being short a space on the blank for "Compensation". =:^D
-paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Test question Phil Wood (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- <Possible follow-ups>
- RE: Test question Ronneil Camara (Dec 16)