Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: dr.kaos (dr.kaoskaos.to)
Date: Thu Feb 14 2002 - 13:34:14 CST
On Thursday 14 February 2002 12:22 pm, Matt Kettler wrote:
> Look at the rule:
> attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES
> id check
> returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown;
> sid:498; re
> (I inserted *** in the content section, otherwise this very email will set
> off the rule)
> So any TCP connection, in any direction, which is connected and has that
> text string in it will trigger.
> So text downloading the rules file in uncompressed form will trigger it.
> Emails quoting the rule will trigger it (unless modified like this one)
> Some OS install/setup/security discussions on websites, email and news will
> set it off..
Specifically, a recent e-mail posted to Bugtraq regarding an Ettercap root
vulnerability triggered it during a pop of one of my mailboxes. I bet this
was the reason for the original question...
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: