[Snort-users] False Alerts 1882 id check returned userid

Stephen W. Thomas swthomas at ...9227...
Fri May 23 13:59:02 EDT 2003

I'm getting the same thing. Since our network hosts web sites, I may see if I can tweak this rule or maybe even disable it. The rule seems to be Unix specific so maybe since we are running all Windows systems it can be disabled.


-----Original Message-----
From:	Lance Worthington [mailto:lworthington at ...7948...]
Sent:	Thu 5/22/2003 9:52 AM
To:	snort-users at lists.sourceforge.net
Subject:	[Snort-users] False Alerts 1882 id check returned userid
Here is the changes snort made to the following rule.

(msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established;
content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;)

new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id
check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;

This alerts was modified on 5/16. I have been getting false positives from
tons of legit http traffic with 'uid=' in it. It seems many websites logins
have syntax in the URL that triggers this alert. Has anyone else been having
the same problem? Would it be too dangerous to write a pass rule for traffic
destinated for port 80? Only about 30 alerts out of 500 are not dst for port


This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list