[Snort-sigs] DDOS mstream c->h and h->c

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Apr 29 12:01:13 EDT 2002


I noticed today that I had two separate instances (grouped by sig_id) of
handler to client... Looks like the rules are identical (except for the
port).  Possibly change the msg to be "DDOS mstream handler 15104|12754...."

The other one related to flags in this first rule... Should they be the same
as the second, or is this correct?  Also, what about adding flow to these?

I believe to_server (from_client) works for all 4 of these.

alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to
handler"; content: ">"; flags: A+; reference:cve,CAN-200
0-0138; classtype:attempted-dos; sid:247; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to
handler"; flags: S; reference:arachnids,111; reference:c
ve,CAN-2000-0138; classtype:attempted-dos; sid:249; rev:1;)

alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to
client"; content: ">"; flags: A+;reference:cve,CAN-2000
-0138; classtype:attempted-dos; sid:248; rev:1;)

alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to
client"; content: ">"; flags: A+; reference:cve,CAN-200
0-0138; classtype:attempted-dos; sid:250; rev:1;)




More information about the Snort-sigs mailing list