[Snort-sigs] RE: anyone have more detail other than window size of 55808 to craft a snort rule for this

Coyle, Brian Brian.Coyle at ...904...
Thu Jun 12 13:30:10 EDT 2003

Donald Smith pointed out:

> Why are you using S+? 

Bad recycling habit on my part- part of the rule I cut-n-pasted when creating this one.  

I also noticed an extraneous 'http://' on the gcn reference was somehow injected into my email (it's not in my production rulefile....)

Here's the updated rule-

  alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00"; 
  flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2; 

> I would think the hex DA00 would be a faster match

I haven't dug into the source code, but wouldn't this be resolved *once* when the rule file is read, then stored?  

                                    -- Brian, GCIA

More information about the Snort-sigs mailing list