[Snort-devel] extend rules options to check tcp win size

m.stiefenhofer at ...2049... m.stiefenhofer at ...2049...
Tue Jun 24 04:45:13 EDT 2003


Hi Neal,

In my opinion a special detection engine is not the best solution. For new 
trojans it would be necessary to change the windows size. 

And if you have it as new option for rules creation you could be more 
flexible - i.e. write rules for outgoing traffic (SYN, win=55808, dst 
addr=! HOME_NET => somewhere in your network is an infected host).

I'm no developer but I guess the best place for this is snort.c ?!

Now my question to all developers: do you think it's worth the effort?

Bye
Marek




More information about the Snort-devel mailing list