[Snort-devel] Maybe I'm missing something...

beenph beenph at ...2499...
Wed May 5 23:10:06 EDT 2010


Well ...will look at clients ephimeral ports..



On Wed, May 5, 2010 at 10:17 PM, Will Metcalf <william.metcalf at ...2499...> wrote:
> But I think this rule should fire on the attached pcap.  I realize
> that this isn't the intended purpose of the rule but it illustrates
> the point.  This is using snort-2.8.5.3, please correct me if I'm
> wrong.
>
> Regards,
>
> Will
>
> alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES
> Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype:
> policy-violation;
> reference:url,doc.emergingthreats.net/bin/view/Main/2002117;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet;
> sid:2002117; rev:5;)
>
> var HOME_NET [10.0.0.0/8,192.168.0.0/16,127.0.0.1]
> var EXTERNAL_NET any
>
> 19:36:55.033713 IP 192.168.100.13.43844 > 192.168.2.35.6112: Flags
> [S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
> ecr 0,nop,wscale 7], length 0
> 19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.43844: Flags
> [R.], seq 0, ack 261064611, win 0, length 0
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list