[Snort-sigs] ATTACK RESPONSES id check returned root (sid:498)

m@...1214... 27gb7uy02 at ...1212...
Thu Jan 23 05:29:14 EST 2003


Dear all, 
 
Is there any good reason to have the sid:498 rule:
 
alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root";
content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)
 
instead of 
 
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check
returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
rev:3;)
 
I Know it's a very minor question, don't get annoyed
 
Max 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030123/c270454b/attachment.html>


More information about the Snort-sigs mailing list