[Snort-sigs] syn/fin scans from stream4

Erek Adams erek at ...95...
Thu Aug 28 23:39:04 EDT 2003

On Thu, 28 Aug 2003, Vincent Vono wrote:

> Anyone know how to pass syn/fin scans from a specific source address? The
> events are being triggered by the preprocessor stream4. I have a production
> scanner, when scanning, this event is triggered. Want to stop this from
> triggering from this specific source address.
> I've searched thru the docs but find nothing.

You can't have a pass rule for this since this is from a pre-processor.
The only way to stop traffic from going by a pre-processor is to use a BPF

	snort <options> 'not src <scanner>'

You can get a bit tricky and do things like:

	snort <options> 'not src <scanner> and (tcp[tcpflags] &
	(tcp-syn|tcp-fin) != 0))'

Note:  That's not a tested filter.  It's late and it may have errors...
It was shamelessly ripped from the tcpdump man page [0].

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.tcpdump.org/tcpdump_man.html

More information about the Snort-sigs mailing list