[Snort-users] Rules: flags burp using 2.0.2?

John Sage jsage at ...2022...
Sun Sep 21 17:58:09 EDT 2003


Sucessfully put on 2.0.2; runs great, and is less filling.

/* specs, for the record */
[jsage at ...3561... /etc/snort]$ uname -a
Linux greatwall 2.4.18-5 #1 Mon Jun 10 15:14:29 EDT 2002 i586 unknown

[jsage at ...3561... /etc/snort]$ snort -V
-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch at ...1935..., www.snort.org)

[jsage at ...3561... /etc/snort]$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)
/* end specs */

But, suddenly these sorts of rules aren't working:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: S; msg:"TCP \
  inbound to 135 dcom, SYN";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: A; dsize: 0; \
  msg:"TCP inbound to 135 dcom, ACK";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: AF; dsize: 0; \
  msg:"TCP inbound to 135 dcom, ACK-FIN";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: F; msg:"TCP \
  inbound to 135 dcom, FIN";)

Rather than picking up these, it drops through to the generic TCP:135
rule I've got, which confuses what I'm trying to do...

Wha' happen' between 1.9.1 and here, flags-wise?

TIA..


- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the Snort-users mailing list