[Snort-users] Rule for initial TCP SYN packet

Thomas Hyslip thomas.hyslip at ...11827...
Thu Jan 9 15:09:22 EST 2014


HI Markus,

Thanks for the suggestion, but still doesn't work. I also tired, flags:S,CE;

Tom




On Thu, Jan 9, 2014 at 1:56 PM, Markus Lude <markus.lude at ...348...> wrote:

> On Thu, Jan 09, 2014 at 10:51:15AM -0500, Thomas Hyslip wrote:
> > Hi,
>
> Hi,
>
> > I'm trying to write a rule to catch the first TCP packet for new sessions
> > that have the SYN flag set.  But, I'm not seeing anything.  If I remove
> the
> > flag:S option i see everything, any suggestions? here is the rule I have
> > set now.  If I craft a packet with hping3, Snort alerts, but I thought
> this
> > would catch all new TCP connections to webpages.
> >
> > alert tcp $HOME_NET any -> any 80 (msg:"egress filter tcp traffic to port
> > 80 with syn flag set"; flow: stateless; flags:S; classtype:test;
> > sid:1000001; rev:1;)
>
> does it work with  flags:S,12;  ?
>
> Regards,
> Markus
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140109/91266848/attachment.html>


More information about the Snort-users mailing list