Re: Test question

[Erik Fichtner <emf () servervault com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700:
 
> alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; 
> classtype:bad-unknown; sid:498; rev:2;)
>
> I'd like to compliment the person who developed this rule.
> Secondly, I'd like to propose a question to tickle your fancy.
> If the second any were 22, and the first any was on your network, what 
> would the classtype be?  

I propose a new classtype:  "game-over.you-lose.". [1]


You know, the only thing wrong with that rule is that it falses every time
anyone talks about that rule in an email and then you have to go dig up the
packet to make sure that your mail relay hasn't been porked (unless, 
for some reason, you read your snort-users BEFORE you read your alarm 
messages, in which case, shame on you.)


[1] Or maybe something with more of a new milennium feel to it, like 
"you-are-the-weakest-link-goodbye".  More apropos for worm compromises.



- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8HX41Q7EzrewLMS0RAlz1AKDJSXdVH5HJN1TI/m0ZZxNDQsyPIQCfSIu3
MJVgKVLvFb0xSklo5W4RoWA=
=juc+
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users