[Snort-users] snort 1.8 rules

Phil Wood cpw at ...440...
Thu May 24 16:33:06 EDT 2001


Folks,

It appears that a rule like:

alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S; reference: arachnids,253;)

or

alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; reference: arachnids,252; classtype: attempted-dos;)

will cat packets like:

       10.0.0.0:1024 -> 1.2.3.4:37123

I think the intent of the rules was to look for source ports LESS than 1024.

Thanks,

Phil




More information about the Snort-users mailing list