[Snort-users] Why flags PA?

Al Huger - Mail Account ah1 at ...35...
Tue Nov 28 09:57:50 EST 2000


> Now he's been testing the IDS with CyberCop and noticed that snort didn't
> pick up a lot of the simulated intrusions. Checking the snort signature
> files, he noticed that most rules have the flags P (TCP PuSH) and A (TCP
> ACK) set. Is there a good reason for this? He further noticed that some
> CGI-BIN queries indeed involved packets with both of those TCP flags set


Which Cybercop scanner checks did it miss? At least some of the Snort
sig's for it rely on text supplied by the scanner, for example: ehlo
cybercop|0a|quit|0a| for the scanner-cybercop-smtp-ehlo signature. 
All of these checks which provide text like this can be modified 
to use other commands etc. Did he modify the scanner at all?




More information about the Snort-users mailing list