[Snort-sigs] SID 1882
warchild at ...288...
Wed Feb 12 20:27:13 EST 2003
On Wed, Feb 12, 2003 at 11:05:37PM -0500, Anton Chuvakin wrote:
> False Positives: the signature will trigger if a legitimate system
> administrator executes the "id" command over the telnet connection
> which uses one of the web ports, as defined in snort.conf
The only comment I have about this (and the 4 other docs you sent) is that
the rule in its current state is fairly prone to false positives. This is
because it simply checks for the two strings "uid=" and "$username", but
doesn't check how close they are.
I believe this topic was discussed here previously, but it might be worth
mentioning in your documentation anyway.
(PS -- just to note. Of all the times that these groups of sigs have been
triggered, only a handful of times were they false positives, so in my
experience the false positive rate for these are very very low, but the
probability is pretty good)
More information about the Snort-sigs