[Snort-users] Question on acid - Rules question

Snow Jacob C KPWA JacobSC at ...160...
Tue May 13 08:57:15 EDT 2003


On the page for unique ip link what is that testing?  Does it check for a
syn and then an ack coming back or what is the criteria for this?  Trying to
get a list of syn that are going out of my network that also receive an ack
back I have a rule that checks for the outgoing syn:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
Outbound";flags:S;tag:session,2,packets;)

 

Is there a way to modify the rule to make sure it gets an ack back and then
set off the alert, kinda like an if statement or something?

 

I am doing this to document what ports/addresses are going out of our
network and on which ports.  Any help would be good, so that I don't have to
just go through all the log files by hand myself.

 

Thank you,

 

Jacob Snow

jacobsc at ...160... <mailto:jacobsc at ...160...> 

(360)315-3487

NAVSEA Intern

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030513/fc0377fa/attachment.html>


More information about the Snort-users mailing list