[Snort-sigs] proposed change to rule

Chris Green cmg at ...435...
Mon Jan 27 13:29:02 EST 2003


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> Unfortunately, if someone creates a valid connection on this port and
> begins xfering data... every packet seems to be logged.  Adding syn may
> help
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp
> request"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013;
> classtype:attempted-recon; sid:1421; rev:2;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp
> request"; flags:S; reference:cve,CAN-2002-0012;
> reference:cve,CAN-2002-0013; classtype:attempted-recon; sid:1421;
> rev:3;)

Unless you know for sure that S is the only possible session initiator
for your connection, use S+.

What real connections should you see on 705 anyway?  I would imagine
most people want to see all those packets.
-- 
Chris Green <cmg at ...435...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-sigs mailing list