[Snort-sigs] False Positive - SID 1882

Javier Fernandez-Sanguino jfernandez at ...2106...
Wed Jun 30 08:03:02 EDT 2004

Gustavo Gomes wrote:
>  alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id 
> check returned userid"; content:"uid="; 
> byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; 
> byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; 
> rev:10;)

You are kidding right? That's just the email I sent to describe a 
False positive in SID 1882 with a proper example. Obviously, any data 
packet that contains uid=1234 should trigger the alert. Probably this 
mail will also trigger your alert :-)



More information about the Snort-sigs mailing list