[Snort-sigs] ATTACK RESPONSES id check returned root (sid:498 )

joe.pepin at ...399... joe.pepin at ...399...
Thu Jan 23 14:00:04 EST 2003

The only times I have ever seen this alert trip is when someone recieves an
email regarding some sort of security issue, either a bulletin, or something
of the sort.

There was an email that securityfocus sent out once, about six months ago,
that set this off to a tremendous degree in my network...  Until I saw that
that the sources were all securityfocus' mailserver, it looked like my
mailserver had hacked 30 or 40 boxes...



-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...651...]
Sent: Thursday, January 23, 2003 3:41 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] ATTACK RESPONSES id check returned root

Hmm, I don't know how useful this rule is. All of these mails set off alerts
on my system :-)

Couldn't a depth: option be used to limit these falsies? I mean, don't hacks
that return this string be doing it pretty early in the piece?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list