[Snort-users] "trons" Rules

Jason Lewis jlewis at ...2449...
Thu Feb 28 22:43:01 EST 2002

When I can't explain something... I refer to the trons.

Why did the DB suddenly crash?  It must have been the trons.

Shortened version of electrons, you know those crazy electrons are out of
whack.  It's my way of saying.."I have no clue" without saying it.  People
don't normally question it.  After reading that web page.....maybe it is
similar. ;)


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of dr.kaos
Sent: Friday, March 01, 2002 12:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] "trons" Rules

Hmmmmm. Anbody else find this interesting?  trons, huh...

>From BugTraq in a response re: missing blackice signatures and a
means by which to make blackice log certain attacks...



"I can't recommend you use this feature, but it may be interesting
for entertainment purposes. Add the following lines to the
"blackice.ini" file:

trons = enabled
trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;)
trons.filename = trons-needs-filename-even-if-dont-exist

I can't stress enough that this feature is unsupported and that
you can't get any help from us about this feature at this time.
However, you might find documentation somewhere on the net :-).
As a user, I added those lines and transmitted the packet
described in the NtWaK0 message, and BlackICE triggered on it."

Robert Graham
Internet Security Systems

PS: I'll be putting up a small TRONS document up on my personal
website tomorrow. The link will be:

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list