No subject


Thu Nov 23 16:36:19 EST 2017


having "any form of interger" prior to the threshold quad values.
Inserting the content:" "; offset:0; creates that integer value
prior to the threshold and fixes the abort, even though adding
those makes no sense from a rule perpsecitve.

The above rule was actually intended to help identify high rates of
tcp SYN traffic (eg, viruses, trojans) generated by internal ISP 
customer machines. As such, there is no desire to have a content 
or offset parameter.

Rich






More information about the Snort-users mailing list