[Snort-sigs] FYI : id check returned root
dkurtz at ...165...
Fri Oct 26 20:51:01 EDT 2001
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root";
flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)
I just wanted to mention that I've been getting some false positives with
this rule lately with ftp d/l of the redhat 7.2 iso's (i.e.
I *do* realize that it's a rather wide sweeping rule that could be triggered
easily, but I thought I'd save some other people from eye time at log files
and mention it...
Peckham & Wright Architects, Inc.
More information about the Snort-sigs