[Snort-sigs] [Snort-devel] Maybe I'm missing something...

Will Metcalf william.metcalf at ...2420...
Wed May 5 23:18:23 EDT 2010


Right, this is an existing sig in the ET ruleset that doens't fire. If
I understand flags correctly, we are looking for a  reset flag
regardless of what the reserved bits are set to.  I think this rule
should fire but doesn't.  Am I wrong?

Regards,

Will

On Wed, May 5, 2010 at 10:10 PM, beenph <beenph at ...2420...> wrote:
> Well ...will look at clients ephimeral ports..
>
>
>
> On Wed, May 5, 2010 at 10:17 PM, Will Metcalf <william.metcalf at ...2420...> wrote:
>> But I think this rule should fire on the attached pcap.  I realize
>> that this isn't the intended purpose of the rule but it illustrates
>> the point.  This is using snort-2.8.5.3, please correct me if I'm
>> wrong.
>>
>> Regards,
>>
>> Will
>>
>> alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES
>> Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype:
>> policy-violation;
>> reference:url,doc.emergingthreats.net/bin/view/Main/2002117;
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet;
>> sid:2002117; rev:5;)
>>
>> var HOME_NET [10.0.0.0/8,192.168.0.0/16,127.0.0.1]
>> var EXTERNAL_NET any
>>
>> 19:36:55.033713 IP 192.168.100.13.43844 > 192.168.2.35.6112: Flags
>> [S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
>> ecr 0,nop,wscale 7], length 0
>> 19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.43844: Flags
>> [R.], seq 0, ack 261064611, win 0, length 0
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>
>




More information about the Snort-sigs mailing list