[Snort-users] Why flags PA?

Martin Roesch roesch at ...421...
Wed Nov 29 10:21:08 EST 2000


Well, theoretically explicitly detailing the PSH flag shouldn't be required,
but since the vast majority of applications out there set it when they're
xmitting data, it seemed like a good idea at the time (1.5 years ago).  With
the advent of tcp flags logic back in 1.6 it's probably not a bad idea to
revisit the rules that specify "flags: PA" and set them to something a little
more reasonable like "flags: A+", which matches on ACK plus anything else. 
There's a slightly higher chance of false alarms, but you won't have people
walking by the detection rules by not setting the PSH flag.

     -Marty

"Reckhard, Tobias" wrote:
> 
> Hi Guy and thanks for the response.
> 
> > One of the reasons it alerts on a PA flags is to minimize the false
> > positive. You will only get an alert upon successful connections.
> >
> I understand that this is what the 'A' flag, which indicates that the ACK
> bit must be set, will do. I do not see the reason for requiring the PSH bit
> to be set.
> 
> > If you want to see all the attempts, you either have to modify the
> > signatures, add you own signatures or use your firewall logs to see if an
> > attempt to specific a port occurred.
> >
> Thanks for the explanation (honestly), but I know that. I'm just wondering
> why the PSH bit is used in so many Snort rules. It seems like an invitation
> to avoid detection by Snort to simply make sure the attack client one uses
> does not set the PSH bit. Or am I missing something?
> 
> Cheers
> Tobias
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list