syn [Re: [Snort-users] ack!@]

Martin Roesch roesch at ...421...
Mon Jan 29 10:56:24 EST 2001


This would be a good application of dynamic rules.

    -Marty

Denis Ducamp wrote:
> 
> On Sun, Jan 28, 2001 at 08:39:37PM -0800, Max Vision wrote:
> > Hi,
> 
> Hi,
> 
> >    Shouldn't the rules with "flags: AP;" be "flags: A+;"
> 
> Shouldn't rules as :
> 
>         alert TCP $EXTERNAL any -> $INTERNAL port (msg: "..."; ...; flags: S;)
> 
> be as :
> 
>         alert TCP $INTERNAL port -> $EXTERNAL any (msg: "..."; ...; flags: SA;)
> or      alert TCP $INTERNAL port <> $EXTERNAL any (msg: "..."; ...; flags: SA;)
> 
> Because the second says that the connection was acknowledged which is really
> an alert. The first rule may be present but only as a log, not as an alert
> imho.
> 
> My 2 cents.
> 
> Denis Ducamp.
> 
> --
>  Denis.Ducamp at ...199... --- Hervé Schauer Consultants --- http://www.hsc.fr/
> snort, hping & dsniff en français : http://www.groar.org/~ducamp/#sec-trad
>  Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
>   Netiquette Guidelines .... http://www.pasteur.fr/infosci/RFC/18xx/1855
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list