Snort mailing list archives

Re: Test question

From: Phil Wood <cpw () lanl gov>
Date: Mon, 17 Dec 2001 14:12:18 -0700

As far as I'm concerned, you all passed in one way or another.  %^)

With the exception of myself who should have suggested that the rule
and possibly others be modified to avoid triggering the very same rule!

  pass tcp any any -> any 25 (msg:"ATTACK RESPONSES id check returned root";
    flags:A+; content: "uid=0(|726F6F74|)"; classtype:bad-unknown;
    sid:498; rev:2;)

  or even

  pass tcp any any -> any 25 (msg:"ATTACK RESPONSES id check returned root";
    flags:A+; content: "uid=|30|(root)"; classtype:bad-unknown;
    sid:498; rev:2;)

Later,

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Test question, (continued)
- - - Re: Test question Erik Fichtner (Dec 16)
  - Re: Test question Greg Herlein (Dec 16)
    - Re: Test question Jose Celestino (Dec 16)
    - Re: Test question James (Dec 16)
    - Re: Test question Ralf Hildebrandt (Dec 17)
    - Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
  - Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
  - Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
  - Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
  - RE: Test question Ryan Russell (Dec 18)
    - RE: Test question Jim Forster (Dec 18)