GEN:SID 1:604
Message RSERVICES rsh froot
Summary This event is generated due to the use of a suspicious login attempt
Impact Serious. If successful the attacker may have gained superuser access to the host.
Detailed Information This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot".

A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command"
Affected Systems  
Attack Scenarios If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot
Ease of Attack Simple, no exploit software required
Corrective Action Investigate logs on the target host for further details and more signs of suspicious activity

Use ssh for remote access instead of rlogin.

Disable the "rsh" service if not used, apply a patch if appropriate.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113

Arachnids:
http://www.whitehats.com/info/IDS387
Rule References arachnids: 387