[Snort-users] What wins? TCP headers or packet contents?
jsage at ...2022...
Fri Sep 13 21:52:03 EDT 2002
Good golly, miss molly...
At least someone was paying attention.
On Thu, Sep 12, 2002 at 08:31:27PM -0400, Chris Green wrote:
> John Sage <jsage at ...2022...> writes:
> > Let me bring the question up to the top:
<snip the question, 'cause there wasn't really one>
> Let's chop up this mail a bit. There's no notion of what wins because
> it's a logical AND of the portions in the rule header and in the rule
> options list.
> The rule:
> "Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET
> port 32770 or above and look for Foo flags with a content of
> OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"
> > rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
> > rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
> > A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
> > sid:1278; rev:3;)
> > <snip>
Oh. Yeah. That *semicolon* after "32770".. heh.. yeah..
*That* semicolon. heh.. hmm..
That's why you get paid the big bucks (I hope)!
"Obviously, we do not want to leave zombies around."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the Snort-users