[Snort-sigs] mods to curb false positive on x11 rules?

Ryan Russell ryan at ...113...
Thu May 30 15:10:02 EDT 2002


On Thu, 30 May 2002, Michael Scheidell wrote:

> Question two:
> is the suggestion on whitehats a possible solution?
> http://www.whitehats.com/info/IDS126
> They suggest to look for the S and the A flags together.
>
> do you want the SA (syn/ack) flags to trigger alert?

I don't think so... the SYN and ACK flags normally occur only on the
second packet, before the handshake is done.  This would normally be
before any "content" would be in the packets, so those rules would never
fire.

At least, that's what I think would happen.  I don't know how the TCP
flags and stream reassembly mix.

				Ryan





More information about the Snort-sigs mailing list