[Snort-users] What wins? TCP headers or packet contents?

John Sage jsage at ...2022...
Fri Sep 13 21:52:03 EDT 2002


Good golly, miss molly...

At least someone was paying attention.

On Thu, Sep 12, 2002 at 08:31:27PM -0400, Chris Green wrote:
> John Sage <jsage at ...2022...> writes:
> 
> > Let me bring the question up to the top:

<snip the question, 'cause there wasn't really one>

> Let's chop up this mail a bit. There's no notion of what wins because
> it's a logical AND of the portions in the rule header and in the rule
> options list.
> 
> The rule:
> 
> "Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET
> port 32770 or above and look for Foo flags with a content of
> OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"
> 
> > rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
> > rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
> > A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
> > sid:1278;  rev:3;)
> > <snip>

arf..

Oh. Yeah. That *semicolon* after "32770".. heh.. yeah..

*That* semicolon. heh.. hmm..


Thanks, Chris.

That's why you get paid the big bucks (I hope)!


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list