[Snort-sigs] rename sid 604

rmkml rmkml at ...324...
Fri Dec 2 02:36:11 EST 2005


Hi,

look sid 604 :
rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 513 
(msg:"RSERVICES rsh froot"; flow:to_server,established; 
content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; 
sid:604; rev:5;)

but tcp port 513 is rlogin, maybe rename rsh to rlogin ?


for information, sid 609 is ok :
rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 514 
(msg:"RSERVICES rsh froot"; flow:to_server,established; 
content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; 
sid:609; rev:5;)

Improve/comments are welcome.

Rmkml




More information about the Snort-sigs mailing list