[Snort-devel] extend rules options to check tcp win size
cmg at ...402...
Thu Jun 26 05:18:13 EDT 2003
m.stiefenhofer at ...2049... writes:
> Hi Neal,
> In my opinion a special detection engine is not the best solution. For new
> trojans it would be necessary to change the windows size.
> And if you have it as new option for rules creation you could be more
> flexible - i.e. write rules for outgoing traffic (SYN, win=55808, dst
> addr=! HOME_NET => somewhere in your network is an infected host).
alert tcp $HOME_NET any -> $EXTERNAL_NET \
(msg: "OUTGOING possibly infected host"; window: 55808;)
> I'm no developer but I guess the best place for this is snort.c ?!
close. you could add it to snort.conf :)
Chris Green <cmg at ...402...>
A watched process never cores.
More information about the Snort-devel