syn [Re: [Snort-users] ack!@]

Denis Ducamp Denis.Ducamp at ...199...
Mon Jan 29 08:25:13 EST 2001


On Sun, Jan 28, 2001 at 08:39:37PM -0800, Max Vision wrote:
> Hi,

Hi,

>    Shouldn't the rules with "flags: AP;" be "flags: A+;"

Shouldn't rules as :

	alert TCP $EXTERNAL any -> $INTERNAL port (msg: "..."; ...; flags: S;)

be as :

	alert TCP $INTERNAL port -> $EXTERNAL any (msg: "..."; ...; flags: SA;)
or	alert TCP $INTERNAL port <> $EXTERNAL any (msg: "..."; ...; flags: SA;)

Because the second says that the connection was acknowledged which is really
an alert. The first rule may be present but only as a log, not as an alert
imho.

My 2 cents.

Denis Ducamp.

-- 
 Denis.Ducamp at ...199... --- Hervé Schauer Consultants --- http://www.hsc.fr/
snort, hping & dsniff en français : http://www.groar.org/~ducamp/#sec-trad
 Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
  Netiquette Guidelines .... http://www.pasteur.fr/infosci/RFC/18xx/1855




More information about the Snort-users mailing list