[Snort-users] Why flags PA?

Reckhard, Tobias Reckhard at ...861...
Tue Nov 28 03:02:34 EST 2000


Hi all.

We've got a student here, comparing different Intrusion Detection Systems,
snort being one of them. As an Open Source fan, I'm rather interested in the
latter, but haven't had the chance to check into it deeply yet.

Now he's been testing the IDS with CyberCop and noticed that snort didn't
pick up a lot of the simulated intrusions. Checking the snort signature
files, he noticed that most rules have the flags P (TCP PuSH) and A (TCP
ACK) set. Is there a good reason for this? He further noticed that some
CGI-BIN queries indeed involved packets with both of those TCP flags set
when using MS IE as a client. However, I suppose that a real attack would
probably involve packets crafted by hand or by a specialised attack tool,
which wouldn't need to set the PSH bit, at least. Snort wouldn't pick this
up, would it?

I'd be grateful for any insights. And sorry if this should be an FAQ, I've
just subscribed to this list two days ago..

Cheers
-- 
Tobias Reckhard
secunet 
Security Networks AG       Tel   : +49(6196)95888-42
Mergenthalerallee 77       Fax   : +49(6196)95888-88
D-65760 Eschborn           E-Mail: reckhard at ...861...




More information about the Snort-users mailing list