[Snort-sigs] [Snort-devel] Maybe I'm missing something...
william.metcalf at ...2420...
Thu May 6 00:14:48 EDT 2010
Ahh indeed! I feel like an idiot for missing that. Thanks Beenph!
On Wed, May 5, 2010 at 11:01 PM, beenph <beenph at ...2420...> wrote:
> Missed the colon not quite visible on my monitor, my bad.
> But beside that,
> alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES
> Battle.net connection reset (possible IP-Ban)"; classtype:
> sid:2002117; rev:5;)
> Seem's like ACK is set in reply (wireshark)
> flags:R,12; -> flags:+R,12
> On Wed, May 5, 2010 at 11:50 PM, Will Metcalf <william.metcalf at ...2420...> wrote:
>> Don't forget the colon...
>> > alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024:
>> According to the example in the snort manual this means any port equal
>> to or greater than 1024, 43844 > 1024.
>> "log tcp any :1024 -> 192.168.1.0/24 500:
>> log tcp traffic from privileged ports less than or equal to 1024
>> going to ports greater than or equal to 500
More information about the Snort-sigs