No subject

Thu Nov 23 16:36:19 EST 2017

having "any form of interger" prior to the threshold quad values.
Inserting the content:" "; offset:0; creates that integer value
prior to the threshold and fixes the abort, even though adding
those makes no sense from a rule perpsecitve.

The above rule was actually intended to help identify high rates of
tcp SYN traffic (eg, viruses, trojans) generated by internal ISP 
customer machines. As such, there is no desire to have a content 
or offset parameter.


More information about the Snort-users mailing list