[Snort-devel] Maybe I'm missing something...

beenph beenph at ...2499...
Wed May 5 23:23:16 EDT 2010


alert tcp $EXTERNAL_NET 6112 -> $HOME_NET *1024*

19:36:55.033713 IP 192.168.100.13.*43844 *> 192.168.2.35.6112: Flags
[S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
ecr 0,nop,wscale 7], length 0
19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.*43844*: Flags
[R.], seq 0, ack 261064611, win 0, length 0


-elz

On Wed, May 5, 2010 at 11:18 PM, Will Metcalf <william.metcalf at ...2499...>
wrote:
> Right, this is an existing sig in the ET ruleset that doens't fire. If
> I understand flags correctly, we are looking for a  reset flag
> regardless of what the reserved bits are set to.  I think this rule
> should fire but doesn't.  Am I wrong?
>
> Regards,
>
> Will
>
> On Wed, May 5, 2010 at 10:10 PM, beenph <beenph at ...2499...> wrote:
>> Well ...will look at clients ephimeral ports..
>>
>>
>>
>> On Wed, May 5, 2010 at 10:17 PM, Will Metcalf <william.metcalf at ...2499...>
wrote:
>>> But I think this rule should fire on the attached pcap.  I realize
>>> that this isn't the intended purpose of the rule but it illustrates
>>> the point.  This is using snort-2.8.5.3, please correct me if I'm
>>> wrong.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES
>>> Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype:
>>> policy-violation;
>>> reference:url,doc.emergingthreats.net/bin/view/Main/2002117;
>>> reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet;
>>> sid:2002117; rev:5;)
>>>
>>> var HOME_NET [10.0.0.0/8,192.168.0.0/16,127.0.0.1]
>>> var EXTERNAL_NET any
>>>
>>> 19:36:55.033713 IP 192.168.100.13.43844 > 192.168.2.35.6112: Flags
>>> [S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
>>> ecr 0,nop,wscale 7], length 0
>>> 19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.43844: Flags
>>> [R.], seq 0, ack 261064611, win 0, length 0
>>>
>>>
------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100505/2db181f4/attachment.html>


More information about the Snort-devel mailing list