[Snort-users] Rules question

dr.kaos dr.kaos at ...4970...
Thu Feb 14 11:36:08 EST 2002


On Thursday 14 February 2002 12:22 pm, Matt Kettler wrote:

[...snip...]

> Look at the rule:
>
> attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES
> id check
> returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown;
> sid:498; re
> v:2;)
>
> (I inserted *** in the content section, otherwise this very email will set
> off the rule)
>
> So any TCP connection, in any direction, which is connected and has that
> text string in it will trigger.

see below...

> So text downloading the rules file in uncompressed form will trigger it.
> Emails quoting the rule will trigger it (unless modified like this one)
> Some OS install/setup/security discussions on websites, email and news will
> set it off..

Specifically, a recent e-mail posted to Bugtraq regarding an Ettercap root 
vulnerability triggered it during a pop of one of my mailboxes. I bet this 
was the reason for the original question...

./dr.kaos




More information about the Snort-users mailing list