[Snort-sigs] Simple Question!!

Nigel Houghton nigel at ...435...
Tue Mar 30 07:16:06 EST 2004


The questions you are asking are all answered in the copious Snort
documentation. This list is for the discussion of Snort signature
development and other issues concerning rules. Please refer to the
documentation first before asking a question, and when you do ask a
question, please ask on the correct list, snort-users is a good place to
seek help for many things.

Finally, please do not cross-post to multiple lists.

On  0, SAM IDS <sam_ids at ...144...> allegedly wrote:
> hello ,
> In the 
> Signature : alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; content:"|02 00|"; depth: 2; ip_proto: 2; fragbits: M+; reference:cve,CVE-1999-0918; classtype:attempted-dos; sid:272; rev:2;) 
>  
> Whats meant by:
> 1.depth: 2
> 2.fragbits: M+
  
--
Nigel Houghton  Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list