This morning, i had an interesting message in my snort daily summary:
ATTACK-RESPONSES id check returned root

"That doesn't sound good", i thought, and went searching for an answer. The first few results seemed to indicate that a false positive was likely. Looking up the IP address, i found that it was one of the addresses belonging to irc.freenode.net. Looking up my IRC logs, sure enough, someone had cut & paste the output from a Linux command including the outputs of the id command, showing the uid as root.

Another hit in the first page of results was http://lists.sans.org/pipermail/list/2002-August/053676.html, which describes a similar event when viewing http://www.incidents.org/detect/rating.html.

http://security.raffy.ch/projects/Raffael_Marty_GCIA/node14.html indicates that a number of snort rules like this one are particularly prone to false positives, and expresses disappointment that they are not more specific. However, one wonders how this particular rule could distinguish between normal IRC traffic which contained the matching text, and malicious IRC traffic which exploited a buffer overrun vulnerability in an IRC client.