[Snort-sigs] Snort rules question.

wbenetti at ...2738... wbenetti at ...2738...
Wed Aug 18 11:54:13 EDT 2004


	As far as I can tell this appears to be the best place to ask a 
Snort rules question.  So here goes:

	I would like to write a snort rule that alarms on a TCP segment 
that doesn't correspond to any established TCP session.  I would also like 
to take TCP SYNs out of consideration for this rule, since some of them 
would be caught by a rule that does this.

	To clarify: I occasionally see frames destined to a client machine
that have the proper seq/ack numbers and sockets, but the source address
is different than the IP address of the server that is servicing the
request.  I believe that this is a bug in a hardware vendor, but I'd like 
to write a rule to keep an eye on things.  Is this something that snort 
can detect?

	If there is a more appropriate resource I should contact for
assistance, please let me know.


More information about the Snort-sigs mailing list