[Snort-sigs] problems setting flags

studentmm08.pool-id at ...1755... studentmm08.pool-id at ...1755...
Mon Aug 25 09:30:21 EDT 2003


>>all works fine, but all packages with ACK and SYN flags triggers off the
>>alert rule.

i think, that says the -o flag is allready set. if not, all packages would
be
triggerd.

the solution for my problem must be another one.


>You need to change your rule ordering either with the -o command line
>switch, or with the "config order" directive in the configuration file:
>
>    config order: pass alert dynamic activation log
>
>Otherwise, the alert rules are processed before the pass rules.  But be
>*VERY* careful when you do this -- or you could bypass all of your
>detection rules in one fell swoop...
>
>studentmm08.pool-id at ...1755... wrote:
>
>>pass tcp $LAN any -> $PROXY 80
>>pass tcp $PROXY 80 -> $LAN any (flags: !S;)
>>
>>alert tcp any any -> any any
>>
>>all works fine, but all packages with ACK and SYN flags triggers off the
>>alert rule.
>>i did try a third pass rule for the proxy with (flags: AS;) and another
>>with (flags: A+;), but nothing
>>of this works.
>>
>>how to write a pass rule, which says to pass all tcp packages contains
>>ACK/SYN flags ?
>>
>>this can not be the problem ?
>>i think i must do holidays to get a clear head....
>>
>>thx
>>andreas
>>
>>
>>
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by: VM Ware
>>With VMware you can run multiple operating systems on a single machine.
>>WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
>>at the same time. Free trial click here:
http://www.vmware.com/wl/offer/358/0
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>>
>>
>
>--
>"The trouble with doing something right the first time
> is that nobody appreciates how difficult it was."
>
>-- Dale L. Handy, P.E.
>   dhandy at ...1244...
>   http://www.nitrodata.com






More information about the Snort-sigs mailing list