[Snort-users] Question on acid - Rules question
Snow Jacob C KPWA
JacobSC at ...160...
Tue May 13 08:57:15 EDT 2003
On the page for unique ip link what is that testing? Does it check for a
syn and then an ack coming back or what is the criteria for this? Trying to
get a list of syn that are going out of my network that also receive an ack
back I have a rule that checks for the outgoing syn:
alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
Is there a way to modify the rule to make sure it gets an ack back and then
set off the alert, kinda like an if statement or something?
I am doing this to document what ports/addresses are going out of our
network and on which ports. Any help would be good, so that I don't have to
just go through all the log files by hand myself.
jacobsc at ...160... <mailto:jacobsc at ...160...>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users