[Snort-users] snort 1.8 rules
cpw at ...440...
Thu May 24 17:40:36 EDT 2001
Opps, I just got my own message. I meant to say that
the rule should be looking for source ports 1024 and greater.
Otherwise it becomes a giant falsepositive generator when a source port
is 80 or something like that.
I guess the source port could be changed to:
Is that right?
On Thu, May 24, 2001 at 02:33:06PM -0600, Phil Wood wrote:
> It appears that a rule like:
> alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S; reference: arachnids,253;)
> alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; reference: arachnids,252; classtype: attempted-dos;)
> will cat packets like:
> 10.0.0.0:1024 -> 126.96.36.199:37123
> I think the intent of the rules was to look for source ports LESS than 1024.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users