[Snort-sigs] ATTACK RESPONSES id check returned root (sid:498)

Erek Adams erek at ...95...
Thu Jan 23 06:37:01 EST 2003


On Thu, 23 Jan 2003, m at ...1214... wrote:

> Is there any good reason to have the sid:498 rule:
>
> alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root";
> content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)
>
> instead of
>
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check
> returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
> rev:3;)
>
> I Know it's a very minor question, don't get annoyed

Well, I want to know when it 'comes into' OR leaves my net instead of just
leaves.  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list