[Snort-sigs] Does rules 2159 make sense ?

Sean Wheeler s.wheeler at ...944...
Mon Mar 29 00:37:03 EST 2004


Hi,

I came across this rule where : flow:established & stateless flow options
are set.

Does this make any sense as my interpretation would be the connection should
be established but the state of the connection ( established or not) does
not really matter

could someone please explain why and if this rule is correct.


alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type
(0)"; flow:established; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff|"; offset:0; depth:16; content:"|00|"; distance:2; within:1;
stateless; classtype:bad-unknown; sid:2159; rev:4;)


Below the snippet from the 2.1.1 manual :

established trigger only on established TCP connections
stateless trigger regardless of the state of the stream processor ( useful
for packets that are designed to cause machines to crash )

regards

Sean





More information about the Snort-sigs mailing list