[Snort-sigs] RE: anyone have more detail other than window size of 55808 to craft a snort rule for this
Brian.Coyle at ...904...
Thu Jun 12 13:30:10 EDT 2003
Donald Smith pointed out:
> Why are you using S+?
Bad recycling habit on my part- part of the rule I cut-n-pasted when creating this one.
I also noticed an extraneous 'http://' on the gcn reference was somehow injected into my email (it's not in my production rulefile....)
Here's the updated rule-
alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";
flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;
> I would think the hex DA00 would be a faster match
I haven't dug into the source code, but wouldn't this be resolved *once* when the rule file is read, then stored?
-- Brian, GCIA
More information about the Snort-sigs