[Snort-users] newbie question about pass and alert directive
rlorenzo121 at ...11827...
Fri Feb 22 04:27:46 EST 2013
I'm new about Snort and, reading docs... I can't find what I'm looking for
(maybe I've to be more concentrated)
if I want to ignore SYN+ACK, RST+ACK and ACK used for normal established
connection from my server to every host on internet, but I want to generate
an alert for every spurious ACK, RST generate from my server not belonging
to any ESTABLISHED connection.
So for what I understood, my rule will be:
alert tcp $HOME_NET any -> any any (msg:"test rule";
flow:from_server,not_established; classtype:not-suspicious; sid:10000012;
writing these rules:
1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*;
classtype:not-suspicious; sid:10000013; rev:1;)
2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";* flags:A*;
content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014;
the rule at point 2 will be ignored cause rule at point 1 tell snort to
ignore every tcp packet with flag ACK active ?
Thank you in advance for response,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users