[Snort-sigs] FYI : id check returned root

Macbeth, Soren smacbeth at ...167...
Fri Oct 26 21:26:01 EDT 2001


oddly enough,
you triggered that very rule with your email ;)



-----Original Message-----
From: David Kurtz [mailto:dkurtz at ...165...]
Sent: Friday, October 26, 2001 11:51 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FYI : id check returned root


(in attack-responses.rules)
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root";
flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)

I just wanted to mention that I've been getting some false positives with
this rule lately with ftp d/l of the redhat 7.2 iso's (i.e.
enigma-docs.iso).

I *do* realize that it's a rather wide sweeping rule that could be triggered
easily, but I thought I'd save some other people from eye time at log files
and mention it...


David Kurtz
SysAdmin
Peckham & Wright Architects, Inc.



_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list