[Snort-sigs] Newbie Rule Question
Matt Kettler
mkettler at ...189...
Thu Aug 22 15:28:01 EDT 2002
Well, first off, you should be aware the "reserved" 1 flag isn't that
unusual and it's certainly NOT invalid. It's used to negotiate support for
ECN now days. the kernel.org server for linux kernels uses ECN, for
example. See RFC 3168 (http://www.ietf.org/rfc/rfc3168.txt) for details
about ECN's usage of 2 previously reserved header flag bits.
Second, are you sure the packets you're seeing in tcpdump (on the same
interface snort is listening to) are addressed to an IP address in
$INTERNAL? (common mistakes here include snort on the outside interface of
a NAT firewall, with INTERNAL set to the post-nat IP addresses.)
At 05:38 PM 8/22/2002 -0400, Brett.Gillett at ...772... wrote:
>Hey everyone,
>
>I am trying to write a snort rule that will capture invalid packets from a
>specific source, I have come up with something, but it doesn't seem to be
>working. If I run tcpdump I can see the source and the bad packet but
>snort does not alert on it... Here's the rule
>
>alert tcp a.b.c.0/24 any -> $INTERNAL any {flags: 1+; msg: "XXX Unusal
>Packet";)
>
>I also tried it with alert ip and still no luck. Any suggestions??
>
>TIA,
>
>Brett
More information about the Snort-sigs
mailing list