[Snort-users] Snort rules over-use "any"?
Jason.Haar at ...294...
Tue Sep 5 19:41:09 EDT 2000
I just got a couple of bogus alerts, and I think I can see why.
Most of the rules are of the form:
alert TCP $INTERNAL 777 -> $EXTERNAL any (msg: "IDS114/trojan-active-aimspy"; flags: SA;)
That says any internal address port 777 that sends TCP data to any external
address on any port number should match....
Why any port number? Surely this should be 1024: instead of any?
I know, I know, some broken IP stacks and apps - like some Windows apps -
use port numbers < 1024 when they're meant to be above it - but what do
these actual attacks use? If the bad software uses > 1024, then so should
Unix/Network Specialist, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users