[Snort-users] Discussion of sid498 triggers sid498 :-)
jhg at ...4209...
Fri Nov 30 09:03:03 EST 2001
There was a recent posting to the list about sid498. This rule looks
for a particular string "uid=0[root]", which was contained in the
posting. This triggered the rule (I changed the parentheses to
brackets to avoid triggering it again with this message). I think
this is a good rule, and the occasional false positive is worth the
James Garrison Athens Group, Inc.
mailto:jhg at ...4209... 5608 Parkcrest Dr
http://www.athensgroup.com Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150
More information about the Snort-users