[Snort-users] snort 1.8 rules
cpw at ...440...
Thu May 24 16:33:06 EDT 2001
It appears that a rule like:
alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S; reference: arachnids,253;)
alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; reference: arachnids,252; classtype: attempted-dos;)
will cat packets like:
10.0.0.0:1024 -> 184.108.40.206:37123
I think the intent of the rules was to look for source ports LESS than 1024.
More information about the Snort-users