On Thursday 14 February 2002 12:22 pm, Matt Kettler wrote:

[...snip...]

> Look at the rule:
>
> attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES
> id check
> returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown;
> sid:498; re
> v:2;)
>
> (I inserted *** in the content section, otherwise this very email will set
> off the rule)
>
> So any TCP connection, in any direction, which is connected and has that
> text string in it will trigger.

see below...

> So text downloading the rules file in uncompressed form will trigger it.
> Emails quoting the rule will trigger it (unless modified like this one)
> Some OS install/setup/security discussions on websites, email and news will
> set it off..

Specifically, a recent e-mail posted to Bugtraq regarding an Ettercap root
vulnerability triggered it during a pop of one of my mailboxes. I bet this
was the reason for the original question...

./dr.kaos

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]