[Snort-sigs] fault positives

studentmm08.pool-id at ...1755... studentmm08.pool-id at ...1755...
Wed Aug 13 05:24:16 EDT 2003


i have a little problem with my rules and hope one of you can help me plz.

i use snort v2.0.1; 
command to start snort:  /usr/local/bin/snort -D -i eth1 -o -c 
all preprocessors are disabled;

part of the configfile:

var NET1 [,,,]
var LAN []

pass tcp $LAN any -> $NET1 1697 ( sid: 1300068; rev: 2;)
pass tcp $Net1 1697 -> $LAN any ( sid: 1300069; rev: 2; flags: !S;)

alert udp any any > any any ( sid: 1000001; rev: 2; msg: catchalludp;)
alert tcp any any > any any ( sid: 1000002; rev: 1; msg: catchalltcp;)

in my configfile are much more passrules like the 2 above. 
some of them work correctly, some not. 
the one i posted, does not trigger. i get alerts from the whole traffic

[**] [1:1000002:1] catchalltcp [**]
[Priority: 0]
08/12-16:36:40.387892 ->
TCP TTL:123 TOS:0x0 ID:17723 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x8DA043AC  Ack: 0xA9C6B679  Win: 0xF910  TcpLen: 20

[**] [1:1000002:1] catchalltcp [**]
[Priority: 0]
08/12-16:36:40.582898 ->
TCP TTL:125 TOS:0x0 ID:55351 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xA9C6B679  Ack: 0x8DA043B7  Win: 0xF71A  TcpLen: 20

can some of you tell me, there the problem is ?


More information about the Snort-sigs mailing list