[Snort-sigs] Does rules 2159 make sense ?
s.wheeler at ...944...
Mon Mar 29 00:37:03 EST 2004
I came across this rule where : flow:established & stateless flow options
Does this make any sense as my interpretation would be the connection should
be established but the state of the connection ( established or not) does
not really matter
could someone please explain why and if this rule is correct.
alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type
(0)"; flow:established; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff|"; offset:0; depth:16; content:"|00|"; distance:2; within:1;
stateless; classtype:bad-unknown; sid:2159; rev:4;)
Below the snippet from the 2.1.1 manual :
established trigger only on established TCP connections
stateless trigger regardless of the state of the stream processor ( useful
for packets that are designed to cause machines to crash )
More information about the Snort-sigs