Snort mailing list archives

RE: Test question

From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 17 Dec 2001 00:23:30 -0600

Hi guys,

It's only now that I checked my snort alerts. I found out that I had 35
"ATTACK RESPONSES id check returned root" alerts on port 25. How would I
turn
this false positive off?

Thanks.

-> -----Original Message-----
-> From: Erik Fichtner [mailto:emf () servervault com]
-> Sent: Sunday, December 16, 2001 11:10 PM
-> To: Paul Cardon
-> Cc: Jose Celestino; Phil Wood; snort-users () lists sourceforge net
-> Subject: Re: [Snort-users] Test question
-> 
-> 
-> -----BEGIN PGP SIGNED MESSAGE-----
-> Hash: SHA1
-> 
-> Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700:
->  
-> >alert tcp any any -> any any (msg:"ATTACK RESPONSES id 
-> check returned root"; flags:A+; content: "uid=0(root)"; 
-> classtype:bad-unknown; sid:498; rev:2;)
-> >
-> >I'd like to compliment the person who developed this rule.
-> >Secondly, I'd like to propose a question to tickle your fancy.
-> >If the second any were 22, and the first any was on your 
-> network, what 
-> >would the classtype be?  
-> 
-> I propose a new classtype:  "game-over.you-lose.". [1]
-> 
-> 
-> You know, the only thing wrong with that rule is that it 
-> falses every time
-> anyone talks about that rule in an email and then you have 
-> to go dig up the
-> packet to make sure that your mail relay hasn't been porked (unless, 
-> for some reason, you read your snort-users BEFORE you read 
-> your alarm 
-> messages, in which case, shame on you.)
-> 
-> 
-> [1] Or maybe something with more of a new milennium feel to it, like 
-> "you-are-the-weakest-link-goodbye".  More apropos for worm 
-> compromises.
-> 
-> 
-> 
-> - -- 
-> Erik Fichtner
-> Security Administrator, ServerVault, Inc.
-> 703-333-5900
-> -----BEGIN PGP SIGNATURE-----
-> Version: GnuPG v1.0.6 (FreeBSD)
-> Comment: For info see http://www.gnupg.org
-> 
-> iD8DBQE8HX41Q7EzrewLMS0RAlz1AKDJSXdVH5HJN1TI/m0ZZxNDQsyPIQCfSIu3
-> MJVgKVLvFb0xSklo5W4RoWA=
-> =juc+
-> -----END PGP SIGNATURE-----
-> 
-> _______________________________________________
-> Snort-users mailing list
-> Snort-users () lists sourceforge net
-> Go to this URL to change user options or unsubscribe:
-> https://lists.sourceforge.net/lists/listinfo/snort-users
-> Snort-users list archive:
-> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-> 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Test question, (continued)
- - Re: Test question Paul Cardon (Dec 16)
    - Re: Test question Jose Celestino (Dec 16)
    - Re: Test question Paul Cardon (Dec 16)
    - Re: Test question Jose Celestino (Dec 16)
    - Re: Test question Erik Fichtner (Dec 16)
  - Re: Test question Greg Herlein (Dec 16)
    - Re: Test question Jose Celestino (Dec 16)
    - Re: Test question James (Dec 16)
    - Re: Test question Ralf Hildebrandt (Dec 17)
    - Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
  - Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
  - Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
  - Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
  - RE: Test question Ryan Russell (Dec 18)
    - RE: Test question Jim Forster (Dec 18)