Snort mailing list archives

Re: Rules question

From: dr.kaos <dr.kaos () kaos to>
Date: Thu, 14 Feb 2002 14:34:14 -0500

On Thursday 14 February 2002 12:22 pm, Matt Kettler wrote:

[...snip...]

Look at the rule:

attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES
id check
returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown;
sid:498; re
v:2;)

(I inserted *** in the content section, otherwise this very email will set
off the rule)

So any TCP connection, in any direction, which is connected and has that
text string in it will trigger.


see below...

So text downloading the rules file in uncompressed form will trigger it.
Emails quoting the rule will trigger it (unless modified like this one)
Some OS install/setup/security discussions on websites, email and news will
set it off..


Specifically, a recent e-mail posted to Bugtraq regarding an Ettercap root 
vulnerability triggered it during a pop of one of my mailboxes. I bet this 
was the reason for the original question...

./dr.kaos

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rules question Bastian Ballmann (Feb 14)
- <Possible follow-ups>
- Re: Rules question Matt Kettler (Feb 14)
  - Re: Rules question dr . kaos (Feb 14)