[Snort-users] What does this rule mean?

James Lay jlay at ...13475...
Fri Aug 22 09:59:20 EDT 2014


On 2014-08-22 07:29, Richard Smollett wrote:
> This is in my preprocessor.rules file.
>
> alert ( msg: "STREAM5_NO_3WHS"; sid: 20; gid: 129; rev: 1; metadata:
> rule-type preproc ; classtype:bad-unknown; )
>
>  Where do I find information on what this rule means?

This particular rule means you didn't have a three way handshake.  The 
README.stream5 in the snort source tarball has more details.

James




More information about the Snort-users mailing list