[Snort-devel] TCP warnings broken in CVS?

A.L.Lambert alambert at ...572...
Thu Jul 26 19:30:34 EDT 2001


> That's the stateful inspection code doing its job.  If you want that
> TCP rule to go off, add a "stateless" keyword in the rule option
> section and it'll go off normally.  With stateful inspection turned on
> and the "-z est" switch, Snort won't go off on a rule unless the
> connection has been established first.  Try this rule, it should work:
> 
> alert tcp !$HOME_NET any -> $HOME_NET 10000 (msg: "Test TCP port 10000
> Scan detected"; classtype: attempted-recon; stateless;)

	Ah, that makes perfect sense (and DOH!, I should have known that,
I DID read the Doc's (I think :)).  Thanks.

-- 
Adam Lambert





More information about the Snort-devel mailing list