[Snort-devel] Maybe I'm missing something...

Will Metcalf william.metcalf at ...2499...
Thu May 6 00:14:48 EDT 2010


Ahh indeed!  I feel like an idiot for missing that.  Thanks Beenph!

Regards,

Will

On Wed, May 5, 2010 at 11:01 PM, beenph <beenph at ...2499...> wrote:
> Missed the colon not quite visible on my monitor, my bad.
>
> But beside that,
>
> alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES
> Battle.net connection reset (possible IP-Ban)"; classtype:
> policy-violation;
> reference:url,doc.emergingthreats.net/bin/view/Main/2002117;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet;
> sid:2002117; rev:5;)
>
>
>  Seem's like ACK is set in reply (wireshark)
>  flags:R,12; -> flags:+R,12
>
>
>
>
> On Wed, May 5, 2010 at 11:50 PM, Will Metcalf <william.metcalf at ...2499...> wrote:
>>
>> Don't forget the colon...
>> > alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024:
>> >
>>
>> According to the example in the snort manual this means any port equal
>> to or greater than 1024, 43844 > 1024.
>>
>>  "log tcp any :1024 -> 192.168.1.0/24 500:
>>  log tcp traffic from privileged ports less than or equal to 1024
>> going to ports greater than or equal to 500
>> "
>> Regards,
>>
>> Will
>




More information about the Snort-devel mailing list