[Snort-users] Discussion of sid498 triggers sid498 :-)

James Garrison jhg at ...4209...
Fri Nov 30 09:03:03 EST 2001

There was a recent posting to the list about sid498.  This rule looks
for a particular string "uid=0[root]", which was contained in the
posting.  This triggered the rule (I changed the parentheses to 
brackets to avoid triggering it again with this message).  I think
this is a good rule, and the occasional false positive is worth the
minor annoyance.

James Garrison                                Athens Group, Inc.
mailto:jhg at ...4209...                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C         (512) 345-0600 x150

More information about the Snort-users mailing list