[Snort-sigs] ATTACK RESPONSES id check returned root (sid:498)

Brian bmc at ...95...
Thu Jan 23 19:20:04 EST 2003


On Thu, Jan 23, 2003 at 02:19:35PM +0100, m at ...1214... wrote:
> Dear all, 
>  
> Is there any good reason to have the sid:498 rule:
>  
> alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root";
> content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)
>  
> instead of 
>  
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check
> returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
> rev:3;)
>  
> I Know it's a very minor question, don't get annoyed

We don't mind minor questions.  (As long as you havn't asked it twice
already with responses)

Actually, its just a preference thing.  That string is such that I'd
like to know when it happens any time.

Personally, though, I've modified it for my uses in the past:

   alert ip any any -> !$SMTP_SERVERS !25 (...)

But thats cause I'm not that concerned with my SMTP server compromising
someone else.  Not as concerned as I am with all the false positives
thanks to bugtraq (and this mailing list).

-brian




More information about the Snort-sigs mailing list