[Snort-users] snort 1.8 rules

Phil Wood cpw at ...440...
Thu May 24 17:40:36 EDT 2001


Opps, I just got my own message.  I meant to say that
the rule should be looking for source ports 1024 and greater.

Otherwise it becomes a giant falsepositive generator when a source port
is 80 or something like that.

I guess the source port could be changed to:

   !:1023

or

   1024:

Is that right?

On Thu, May 24, 2001 at 02:33:06PM -0600, Phil Wood wrote:
> 
> Folks,
> 
> It appears that a rule like:
> 
> alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S; reference: arachnids,253;)
> 
> or
> 
> alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; reference: arachnids,252; classtype: attempted-dos;)
> 
> will cat packets like:
> 
>        10.0.0.0:1024 -> 1.2.3.4:37123
> 
> I think the intent of the rules was to look for source ports LESS than 1024.
> 
> Thanks,
> 
> Phil
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list