Re: Additional False Positives for rule 1:498

On  0, "Coral J. Cook" <cook_coral@xxxxxxxxxxxxx> allegedly wrote:
> I've only included the effected portion of the template:
> 
> Rule:
> alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned 
> root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)
> --
> 
> Sid:
> 1:498
> 
> --
> False Positives:
> Additional false positives - receiving any text document (via http, smtp 
> and probably other clear-text protocols as well) which contains phrases 
> "uid=0" or "uid=root", such as when viewing/reading exploit details from 
> Full Disclosure, PacketStorm, other security sites, etc.

Added "and other sites" to the existing false positive information about
browsing snort.org. I suspect the web sites that could trip this rules 
are legion.

+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Cat: "Forget red - let's go all the way up to brown alert!"
 Kryten: "There's no such thing as a brown alert sir."
 Cat: "You won't be saying that in a minute!"


-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/