[Snort-users] Why flags PA?

Reckhard, Tobias Reckhard at ...861...
Wed Nov 29 07:51:38 EST 2000


Hi Guy and thanks for the response.

> One of the reasons it alerts on a PA flags is to minimize the false
> positive. You will only get an alert upon successful connections.
> 
I understand that this is what the 'A' flag, which indicates that the ACK
bit must be set, will do. I do not see the reason for requiring the PSH bit
to be set.

> If you want to see all the attempts, you either have to modify the
> signatures, add you own signatures or use your firewall logs to see if an
> attempt to specific a port occurred. 
> 
Thanks for the explanation (honestly), but I know that. I'm just wondering
why the PSH bit is used in so many Snort rules. It seems like an invitation
to avoid detection by Snort to simply make sure the attack client one uses
does not set the PSH bit. Or am I missing something?

Cheers
Tobias




More information about the Snort-users mailing list