[Snort-sigs] syn/fin scans from stream4
erek at ...95...
Thu Aug 28 23:39:04 EDT 2003
On Thu, 28 Aug 2003, Vincent Vono wrote:
> Anyone know how to pass syn/fin scans from a specific source address? The
> events are being triggered by the preprocessor stream4. I have a production
> scanner, when scanning, this event is triggered. Want to stop this from
> triggering from this specific source address.
> I've searched thru the docs but find nothing.
You can't have a pass rule for this since this is from a pre-processor.
The only way to stop traffic from going by a pre-processor is to use a BPF
snort <options> 'not src <scanner>'
You can get a bit tricky and do things like:
snort <options> 'not src <scanner> and (tcp[tcpflags] &
(tcp-syn|tcp-fin) != 0))'
Note: That's not a tested filter. It's late and it may have errors...
It was shamelessly ripped from the tcpdump man page .
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-sigs