Re: Test question

[Jose Celestino <japc () co sapo pt>]

As it is you should turn it off on port 80/443 if you use, for instance,
acid.

:))

Thus spake Greg Herlein, on Sun, Dec 16, 2001 at 07:35:52PM -0800:
> > > alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; 
> > > classtype:bad-unknown; sid:498; rev:2;)
>
> Interesting - this email exchange triggered this rule in my
> system, giving me a moment's heart palpatation.  :)  It saw it on
> port 25 - so I knew it was either legit email, or a new hack of
> sendmail.
>
> I'll probably add a new rule to turn this off if on port 25 or
> I'll get more similar false positives.  I'm not sure how to
> trigger on it on port 25 if it's not in email....  gotta think
> about that.
>
> Greg

-- 
Jose Celestino <japc () co sapo pt>
---------------------------------
"Jesus may love you, but I think you're garbage wrapped in skin."
-- Michael O'Donohugh

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users