Snort mailing list archives
attack responses euid=0(root)
From: u () netbeisser de
Date: Mon, 25 Jan 2016 04:28:21 +0100
Hi, here are two modified snort rules matching euid instead of uid: alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"euid=0|28|root|29|"; classtype:bad-un alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned effective userid"; content:"euid="; b e,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;) I couldn't find something similar in rules/ Greetings --Stefan ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- attack responses euid=0(root) u (Jan 24)