[Snort-users] Whisker Rule

Ralf Hildebrandt Ralf.Hildebrandt at ...22...
Thu Aug 31 09:52:39 EDT 2000


alert tcp !$HOME_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- head"; content:"|68 65 61 64|"; offset: 0; depth: 4;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- HEAD"; content:"HEAD"; offset: 0; depth: 4; nocase;)

I have these two in my rules. Aren't they equivalent?

-- 
ralf.hildebrandt at ...22...
Dipl.-Informatiker                                       innominate AG
system engineer                                      networking people
tel: +49.30.308806-62  fax: -77   http://innominate.de  pgp at request



More information about the Snort-users mailing list