[Snort-sigs] FYI : id check returned root

Macbeth, Soren smacbeth at ...167...
Fri Oct 26 21:26:01 EDT 2001

oddly enough,
you triggered that very rule with your email ;)

-----Original Message-----
From: David Kurtz [mailto:dkurtz at ...165...]
Sent: Friday, October 26, 2001 11:51 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FYI : id check returned root

(in attack-responses.rules)
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root";
flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)

I just wanted to mention that I've been getting some false positives with
this rule lately with ftp d/l of the redhat 7.2 iso's (i.e.

I *do* realize that it's a rather wide sweeping rule that could be triggered
easily, but I thought I'd save some other people from eye time at log files
and mention it...

David Kurtz
Peckham & Wright Architects, Inc.

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list