[Snort-sigs] Invalid TCP packet, header length<20 bytes

Joseph Gama josephgama at ...144...
Wed Jul 14 16:18:03 EDT 2004


Hello!

I am trying to create a rule that will detect TCP
packets with header less than 20 bytes, that is
HLEN<5.

This is what I tried:

alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"Invalid TCP packet, header length<20 bytes";
byte_test: 1, <, 80, 12, string, dec; ip_proto:tcp;
reference: url,
http.www.ibiblio.org/pub/docs/rfc/rfc793.txt;
classtype:bad-unknown; sid:10067; rev:1;)

alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"Invalid TCP packet, header length<20 bytes 2";
dsize:<20; ip_proto:tcp; reference: url, 
http.www.ibiblio.org/pub/docs/rfc/rfc793.txt;
classtype:bad-unknown; sid:10067; rev:1;)

I create a packet with HLEN=4 for the tests.
The first rule never fires and the second creates
plenty of false positives.

Does anyone have a solution for this?
Thank you.

Peace,

Joseph Gama


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list