[Snort-users] SNORT keywork to check TCP window size

Phil Wood cpw at ...440...
Wed Sep 12 09:23:05 EDT 2001


On Wed, Sep 12, 2001 at 04:19:22PM +0100, Alberto Grazi wrote:
> I've actually found something in the changelog which says it is possible
> to check it but there is no mention at all in the documentation... Can
> anyone help ?

alert tcp any any -> any any (msg: "window is zero"; window: 0;)

> 
> 
> 
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/ChangeLog?rev
> =1.13&content-type=text/vnd.viewcvs-markup
> 
> /* $Id: ChangeLog,v 1.13 2001/08/15 05:54:35 roesch Exp $ */
> [...]
> 
> 2001-04-19 bmc <bmc at ...312...>
> [...]
>     * added sp_tcp_win_check.  TCP Window Size can be looked now 
> 
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Alberto
> Grazi
> Sent: 13 September 2001 00:42
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] SNORT keywork to check TCP window size
> 
> 
> Hi, 
> does anyone know how to check the window size of a TCP packet in a SNORT
> rule? 
> I've been looking in the documentation and on the Net but I haven't
> found it yet... there has to be a way, it's written in the changelog!
> 
> Any help is appreciated.
> Regards
> Alberto Grazi
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list