[Snort-users] Question on acid - Rules question

Snow Jacob C KPWA JacobSC at ...160...
Tue May 13 08:57:15 EDT 2003

On the page for unique ip link what is that testing?  Does it check for a
syn and then an ack coming back or what is the criteria for this?  Trying to
get a list of syn that are going out of my network that also receive an ack
back I have a rule that checks for the outgoing syn:


alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn


Is there a way to modify the rule to make sure it gets an ack back and then
set off the alert, kinda like an if statement or something?


I am doing this to document what ports/addresses are going out of our
network and on which ports.  Any help would be good, so that I don't have to
just go through all the log files by hand myself.


Thank you,


Jacob Snow

jacobsc at ...160... <mailto:jacobsc at ...160...> 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030513/fc0377fa/attachment.html>

More information about the Snort-users mailing list