[Snort-users] What wins? TCP headers or packet contents?

John Sage jsage at ...2022...
Sat Sep 14 07:31:01 EDT 2002


On Fri, Sep 13, 2002 at 09:51:01PM -0700, John Sage wrote:
> Good golly, miss molly...
> 
> At least someone was paying attention.
> 
> On Thu, Sep 12, 2002 at 08:31:27PM -0400, Chris Green wrote:
> > John Sage <jsage at ...2022...> writes:
> > 
> > > Let me bring the question up to the top:
> 
> <snip the question, 'cause there wasn't really one>
> 
> > Let's chop up this mail a bit. There's no notion of what wins because
> > it's a logical AND of the portions in the rule header and in the rule
> > options list.
> > 
> > The rule:
> > 
> > "Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET
> > port 32770 or above and look for Foo flags with a content of
> > OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"
> > 
> > > rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
> > > rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
> > > A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
> > > sid:1278;  rev:3;)
> > > <snip>
> 
> arf..
> 
> Oh. Yeah. That *semicolon*^H^H^H^H^H^H^H^H^H *colon* after "32770".. heh.. yeah..

colon

The thing with the two dots: <- -> colon

# EOF


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list