[Snort-devel] extend rules options to check tcp win size

Chris Green cmg at ...402...
Thu Jun 26 05:18:13 EDT 2003


m.stiefenhofer at ...2049... writes:

> Hi Neal,
>
> In my opinion a special detection engine is not the best solution. For new 
> trojans it would be necessary to change the windows size. 
>
> And if you have it as new option for rules creation you could be more 
> flexible - i.e. write rules for outgoing traffic (SYN, win=55808, dst 
> addr=! HOME_NET => somewhere in your network is an infected host).

alert tcp $HOME_NET any -> $EXTERNAL_NET \
(msg: "OUTGOING possibly infected host"; window: 55808;)
>
> I'm no developer but I guess the best place for this is snort.c ?!

close.  you could add it to snort.conf :)

-- 
Chris Green <cmg at ...402...>
A watched process never cores.




More information about the Snort-devel mailing list