[Snort-sigs] ATTACK RESPONSES id check returned root (sid:498)
bmc at ...95...
Thu Jan 23 19:20:04 EST 2003
On Thu, Jan 23, 2003 at 02:19:35PM +0100, m at ...1214... wrote:
> Dear all,
> Is there any good reason to have the sid:498 rule:
> alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root";
> content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)
> instead of
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check
> returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
> I Know it's a very minor question, don't get annoyed
We don't mind minor questions. (As long as you havn't asked it twice
already with responses)
Actually, its just a preference thing. That string is such that I'd
like to know when it happens any time.
Personally, though, I've modified it for my uses in the past:
alert ip any any -> !$SMTP_SERVERS !25 (...)
But thats cause I'm not that concerned with my SMTP server compromising
someone else. Not as concerned as I am with all the false positives
thanks to bugtraq (and this mailing list).
More information about the Snort-sigs