[Snort-sigs] False positives SID 1882

Javier Fernandez-Sanguino jfernandez at ...2106...
Wed Jun 30 03:31:04 EDT 2004

Rule:   ATTACK-RESPONSES id check returned userid
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id 
check returned userid"; content:"uid="; 
byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; 
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; 
sid:1882; rev:10;)

Sid: 1882

False Positives:

This rule might generate a false positive when servers return error 
messages and includes in its output detailed error information such as 
uid and gid information. The qmail MTA, for example, might send bounce 
mail messages sent with errors that might include uid/gid information:

executing 'qmail-local -- alias /var/qmail/alias cyro1 - cyrxx xxxxx 
xxxxx ./Maildir/' under uid=103, gid=101 Sorry, no mailbox here by 
that name. (#5.1.1)


Javier Fernández-Sanguino

More information about the Snort-sigs mailing list