Thu Nov 23 16:36:19 EST 2017
having "any form of interger" prior to the threshold quad values.
Inserting the content:" "; offset:0; creates that integer value
prior to the threshold and fixes the abort, even though adding
those makes no sense from a rule perpsecitve.
The above rule was actually intended to help identify high rates of
tcp SYN traffic (eg, viruses, trojans) generated by internal ISP
customer machines. As such, there is no desire to have a content
or offset parameter.
More information about the Snort-users