[Snort-sigs] False negatives on "ATTACK-RESPONSES id check returned userid"

Jon Hart jhart at ...288...
Mon Apr 16 11:00:20 EDT 2007

On Mon, Apr 16, 2007 at 12:40:27PM +0200, Cees wrote:
> Some additional information:
> Version of snort used:
> Snort.conf configuration:
> var HOME_NET []
> [..]
> Preprocessors: frag3, stream4, http_inspect
> Command-line options when starting snort:
> snort -u snort -r uid.pcap -l log/ -c snort.conf
> Operating system used: Gentoo linux
> Attached a sample PCAP file. A client ( retrieves a website
> from the server ( with the string "uid=33(www-data)
> gid=33(www-data) groups=33(www-data)".

I seem to recall discussion about this rule and its potential for
false-negatives sometime in the past.  The further you crank out
'within', the greater the chance of a false-positive.  There is
definitely room for improvement, IMO, as uid and gid combinations that
are greather than 9 characters in length are quite common.

Why not pcre for this rule?  'pcre:/uid=\d+\S+\s+gid=\d+\S+'?


More information about the Snort-sigs mailing list