[Snort-sigs] suggestion

Joseph Gama josephgama at ...144...
Wed Jul 28 17:47:36 EDT 2004


Hi!

Rule 526 is ok but maybe there should be a similar
rule for SYN ACK because it has data too, sometimes.

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BAD-TRAFFIC data in TCP SYN packet"; dsize:>6;
flags:S,12; flow:stateless;
reference:url,www.cert.org/incident_notes/IN-99-07.html;
classtype:misc-activity; sid:526; rev:9;)

Peace,

Joseph Gama


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list