[Snort-sigs] RE: anyone have more detail other than window size of 55808 to craft a snort rule for this

Coyle, Brian Brian.Coyle at ...904...
Thu Jun 12 13:30:10 EDT 2003


Donald Smith pointed out:

> Why are you using S+? 

Bad recycling habit on my part- part of the rule I cut-n-pasted when creating this one.  

I also noticed an extraneous 'http://' on the gcn reference was somehow injected into my email (it's not in my production rulefile....)

Here's the updated rule-


  alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00"; 
  flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2; 
  reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html; 
  reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;
  reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)

> I would think the hex DA00 would be a faster match

I haven't dug into the source code, but wouldn't this be resolved *once* when the rule file is read, then stored?  

                                    -- Brian, GCIA





More information about the Snort-sigs mailing list