[Snort-users] Rules question
dr.kaos at ...4970...
Thu Feb 14 11:36:08 EST 2002
On Thursday 14 February 2002 12:22 pm, Matt Kettler wrote:
> Look at the rule:
> attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES
> id check
> returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown;
> sid:498; re
> (I inserted *** in the content section, otherwise this very email will set
> off the rule)
> So any TCP connection, in any direction, which is connected and has that
> text string in it will trigger.
> So text downloading the rules file in uncompressed form will trigger it.
> Emails quoting the rule will trigger it (unless modified like this one)
> Some OS install/setup/security discussions on websites, email and news will
> set it off..
Specifically, a recent e-mail posted to Bugtraq regarding an Ettercap root
vulnerability triggered it during a pop of one of my mailboxes. I bet this
was the reason for the original question...
More information about the Snort-users