[Snort-sigs] Newbie Rule Question

Matt Kettler mkettler at ...189...
Thu Aug 22 15:28:01 EDT 2002


Well, first off, you should be aware the "reserved" 1 flag isn't that 
unusual and it's certainly NOT invalid. It's used to negotiate support for 
ECN now days. the kernel.org server for linux kernels uses ECN, for 
example. See RFC 3168  (http://www.ietf.org/rfc/rfc3168.txt) for details 
about ECN's usage of 2 previously reserved header flag bits.

Second, are you sure the packets you're seeing in tcpdump (on the same 
interface snort is listening to) are addressed to an IP address in 
$INTERNAL? (common mistakes here include snort on the outside interface of 
a NAT firewall, with INTERNAL set to the post-nat IP addresses.)


At 05:38 PM 8/22/2002 -0400, Brett.Gillett at ...772... wrote:
>Hey everyone,
>
>I am trying to write a snort rule that will capture invalid packets from a
>specific source, I have come up with something, but it doesn't seem to be
>working.  If I run tcpdump I can see the source and the bad packet but
>snort does not alert on it... Here's the rule
>
>alert tcp a.b.c.0/24 any -> $INTERNAL any {flags: 1+; msg: "XXX Unusal
>Packet";)
>
>I also tried it with alert ip and still no luck.  Any suggestions??
>
>TIA,
>
>Brett





More information about the Snort-sigs mailing list