syn [Re: [Snort-users] ack!@]

Denis Ducamp Denis.Ducamp at ...199...
Mon Jan 29 08:25:13 EST 2001

On Sun, Jan 28, 2001 at 08:39:37PM -0800, Max Vision wrote:
> Hi,


>    Shouldn't the rules with "flags: AP;" be "flags: A+;"

Shouldn't rules as :

	alert TCP $EXTERNAL any -> $INTERNAL port (msg: "..."; ...; flags: S;)

be as :

	alert TCP $INTERNAL port -> $EXTERNAL any (msg: "..."; ...; flags: SA;)
or	alert TCP $INTERNAL port <> $EXTERNAL any (msg: "..."; ...; flags: SA;)

Because the second says that the connection was acknowledged which is really
an alert. The first rule may be present but only as a log, not as an alert

My 2 cents.

Denis Ducamp.

 Denis.Ducamp at ...199... --- Hervé Schauer Consultants ---
snort, hping & dsniff en français :
 Du bon usage de ...
  Netiquette Guidelines ....

More information about the Snort-users mailing list