[Snort-sigs] attack responses euid=0(root)

u at ...4132... u at ...4132...
Sun Jan 24 22:28:21 EST 2016


here are two modified snort rules matching euid instead of uid:

alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"euid=0|28|root|29|"; classtype:bad-un
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned effective userid"; content:"euid="; b
e,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;)

I couldn't find something similar in rules/


More information about the Snort-sigs mailing list