Snort mailing list archives

Previous By Date Next
Previous By Thread Next

attack responses euid=0(root)

From: u () netbeisser de
Date: Mon, 25 Jan 2016 04:28:21 +0100
Hi,

here are two modified snort rules matching euid instead of uid:

alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"euid=0|28|root|29|"; 
classtype:bad-un
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned effective userid"; 
content:"euid="; b
e,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;)

I couldn't find something similar in rules/


Greetings
--Stefan

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: