[Snort-sigs] FYI : id check returned root
smacbeth at ...167...
Fri Oct 26 21:26:01 EDT 2001
you triggered that very rule with your email ;)
From: David Kurtz [mailto:dkurtz at ...165...]
Sent: Friday, October 26, 2001 11:51 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FYI : id check returned root
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root";
flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)
I just wanted to mention that I've been getting some false positives with
this rule lately with ftp d/l of the redhat 7.2 iso's (i.e.
I *do* realize that it's a rather wide sweeping rule that could be triggered
easily, but I thought I'd save some other people from eye time at log files
and mention it...
Peckham & Wright Architects, Inc.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs