[Snort-devel] extend rules options to check tcp win size

m.stiefenhofer at ...2049... m.stiefenhofer at ...2049...
Thu Jun 26 05:37:25 EDT 2003


Chris Green <cmg at ...402...>:
> alert tcp $HOME_NET any -> $EXTERNAL_NET \
> (msg: "OUTGOING possibly infected host"; window: 55808;)

Thanks a lot. I was already pointed at the implemented feature (I only 
searched the documentation for it).

Besides: your rule is wrong, because source addresses will be spoofed. 
Here's my one:

alert tcp any any -> !$HOME_NET any (msg:"SCAN outgoing 55808 Trojan 
scan"; flags: S; window:55808;)

The syn-flag is also important for not catching all replies on 55808 syn 
scans.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030626/b579f5c8/attachment.html>


More information about the Snort-devel mailing list