[Snort-devel] TCP warnings broken in CVS?
alambert at ...572...
Thu Jul 26 19:30:34 EDT 2001
> That's the stateful inspection code doing its job. If you want that
> TCP rule to go off, add a "stateless" keyword in the rule option
> section and it'll go off normally. With stateful inspection turned on
> and the "-z est" switch, Snort won't go off on a rule unless the
> connection has been established first. Try this rule, it should work:
> alert tcp !$HOME_NET any -> $HOME_NET 10000 (msg: "Test TCP port 10000
> Scan detected"; classtype: attempted-recon; stateless;)
Ah, that makes perfect sense (and DOH!, I should have known that,
I DID read the Doc's (I think :)). Thanks.
More information about the Snort-devel