[Snort-users] Why flags PA?

Guy Bruneau bruneau at ...126...
Wed Nov 29 05:43:52 EST 2000


Tobias,

One of the reasons it alerts on a PA flags is to minimize the false positive.
You will only get an alert upon successful connections. If you want to see all
the attempts, you either have to modify the signatures, add you own signatures
or use your firewall logs to see if an attempt to specific a port occurred.

Guy

--
Guy Bruneau

"Reckhard, Tobias" wrote:

> Hi all.
>
> We've got a student here, comparing different Intrusion Detection Systems,
> snort being one of them. As an Open Source fan, I'm rather interested in the
> latter, but haven't had the chance to check into it deeply yet.
>
> Now he's been testing the IDS with CyberCop and noticed that snort didn't
> pick up a lot of the simulated intrusions. Checking the snort signature
> files, he noticed that most rules have the flags P (TCP PuSH) and A (TCP
> ACK) set. Is there a good reason for this? He further noticed that some
> CGI-BIN queries indeed involved packets with both of those TCP flags set
> when using MS IE as a client. However, I suppose that a real attack would
> probably involve packets crafted by hand or by a specialised attack tool,
> which wouldn't need to set the PSH bit, at least. Snort wouldn't pick this
> up, would it?
>
> I'd be grateful for any insights. And sorry if this should be an FAQ, I've
> just subscribed to this list two days ago..
>
> Cheers
> --
> Tobias Reckhard
> secunet
> Security Networks AG       Tel   : +49(6196)95888-42
> Mergenthalerallee 77       Fax   : +49(6196)95888-88
> D-65760 Eschborn           E-Mail: reckhard at ...861...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001129/52dc8d42/attachment.html>


More information about the Snort-users mailing list