josephgama at ...144...
Wed Jul 28 17:47:36 EDT 2004
Rule 526 is ok but maybe there should be a similar
rule for SYN ACK because it has data too, sometimes.
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BAD-TRAFFIC data in TCP SYN packet"; dsize:>6;
classtype:misc-activity; sid:526; rev:9;)
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
More information about the Snort-sigs