[Snort-devel] Maybe I'm missing something...

beenph beenph at ...2499...
Thu May 6 00:01:47 EDT 2010


Missed the colon not quite visible on my monitor, my bad.

But beside that,

alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES
Battle.net connection reset (possible IP-Ban)"; classtype:
policy-violation;
reference:url,doc.emergingthreats.net/bin/view/Main/2002117;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet;
sid:2002117; rev:5;)


 Seem's like ACK is set in reply (wireshark)
 flags:R,12; -> flags:+R,12




On Wed, May 5, 2010 at 11:50 PM, Will Metcalf <william.metcalf at ...2499...> wrote:
>
> Don't forget the colon...
> > alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024:
> >
>
> According to the example in the snort manual this means any port equal
> to or greater than 1024, 43844 > 1024.
>
>  "log tcp any :1024 -> 192.168.1.0/24 500:
>  log tcp traffic from privileged ports less than or equal to 1024
> going to ports greater than or equal to 500
> "
> Regards,
>
> Will
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ws.jpg
Type: image/jpeg
Size: 69611 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100506/7479c378/attachment.jpg>


More information about the Snort-devel mailing list