[Snort-sigs] Traceroute test

Esler, Joel Contractor EslerJ at ...785...
Tue Jun 17 09:42:14 EDT 2003


I Think there is a way, however, refresh my memory...

Since traceroute starts on port 33435 udp...  We can write a rule to detect
traceroutes...

Alert udp $HOME_NET >33435 -> $EXTERNAL_NET any (msg:"Traceroute";
flags:S+;")

Right??

Or would it be more like
Alert udp $HOME_NET 33435:65535 -> $EXTERNAL_NET any (msg:"Traceroute";) ??

Joel




More information about the Snort-sigs mailing list