Snort mailing list archives
RE: Test question
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 17 Dec 2001 00:23:30 -0600
Hi guys, It's only now that I checked my snort alerts. I found out that I had 35 "ATTACK RESPONSES id check returned root" alerts on port 25. How would I turn this false positive off? Thanks. -> -----Original Message----- -> From: Erik Fichtner [mailto:emf () servervault com] -> Sent: Sunday, December 16, 2001 11:10 PM -> To: Paul Cardon -> Cc: Jose Celestino; Phil Wood; snort-users () lists sourceforge net -> Subject: Re: [Snort-users] Test question -> -> -> -----BEGIN PGP SIGNED MESSAGE----- -> Hash: SHA1 -> -> Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700: -> -> >alert tcp any any -> any any (msg:"ATTACK RESPONSES id -> check returned root"; flags:A+; content: "uid=0(root)"; -> classtype:bad-unknown; sid:498; rev:2;) -> > -> >I'd like to compliment the person who developed this rule. -> >Secondly, I'd like to propose a question to tickle your fancy. -> >If the second any were 22, and the first any was on your -> network, what -> >would the classtype be? -> -> I propose a new classtype: "game-over.you-lose.". [1] -> -> -> You know, the only thing wrong with that rule is that it -> falses every time -> anyone talks about that rule in an email and then you have -> to go dig up the -> packet to make sure that your mail relay hasn't been porked (unless, -> for some reason, you read your snort-users BEFORE you read -> your alarm -> messages, in which case, shame on you.) -> -> -> [1] Or maybe something with more of a new milennium feel to it, like -> "you-are-the-weakest-link-goodbye". More apropos for worm -> compromises. -> -> -> -> - -- -> Erik Fichtner -> Security Administrator, ServerVault, Inc. -> 703-333-5900 -> -----BEGIN PGP SIGNATURE----- -> Version: GnuPG v1.0.6 (FreeBSD) -> Comment: For info see http://www.gnupg.org -> -> iD8DBQE8HX41Q7EzrewLMS0RAlz1AKDJSXdVH5HJN1TI/m0ZZxNDQsyPIQCfSIu3 -> MJVgKVLvFb0xSklo5W4RoWA= -> =juc+ -> -----END PGP SIGNATURE----- -> -> _______________________________________________ -> Snort-users mailing list -> Snort-users () lists sourceforge net -> Go to this URL to change user options or unsubscribe: -> https://lists.sourceforge.net/lists/listinfo/snort-users -> Snort-users list archive: -> http://www.geocrawler.com/redir-sf.php3?list=snort-users -> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Test question, (continued)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Erik Fichtner (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)