[Snort-sigs] proposed change to rule

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jan 27 13:39:02 EST 2003


Ók, global use:  AgentX appears to send more than 1 packet in its request.  So 1 instance of use of this tool could potentially generate several alerts.

-----Original Message-----
From: Chris Green [mailto:cmg at ...435...] 
Sent: Monday, January 27, 2003 3:35 PM
To: Kreimendahl, Chad J
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] proposed change to rule


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> A daemon that is used for something completely unrelated....

I'm trying to understand environment specific versus the global use
case.
>
>
> It's very possible for there to be a large amount of data coming back
> with the real AgentX... definately more than one packet every use.

Yes I know.  The initial SYN isn't good enough by itself because
you'll want to know what credentials they are trying or at least
that's what I would like.

Anyone else have comments?
-- 
Chris Green <cmg at ...435...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-sigs mailing list