[Snort-users] Any way to do something like "Flowbits, " but for other than a TCP stream?

Bachelor, Stephen A CTR USSOCOM HQ Stephen.Bachelor.ctr at ...14240...
Thu Nov 15 16:02:03 EST 2007


My problem is false positives on rule 1:2189, Bad-Traffic IP Proto 103.
To exploit the vulnerability, one must send 4 packets, with successive
protocol types: 53, 55, 77, and 103. The Snort rule only seems to look
for proto_id: 103, and it's creating thousands of false positives for
me. How can I make it trigger on 103 only if there's been a proto_id: 77
to the same destination, one packet earlier? As far as I can tell,
threshholding rules aren't quite flexible enough to help.




More information about the Snort-users mailing list