Snort mailing list archives
Re: snort 1.8 rules
From: Phil Wood <cpw () lanl gov>
Date: Thu, 24 May 2001 15:40:36 -0600
Opps, I just got my own message. I meant to say that the rule should be looking for source ports 1024 and greater. Otherwise it becomes a giant falsepositive generator when a source port is 80 or something like that. I guess the source port could be changed to: !:1023 or 1024: Is that right? On Thu, May 24, 2001 at 02:33:06PM -0600, Phil Wood wrote:
Folks, It appears that a rule like: alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S; reference: arachnids,253;) or alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; reference: arachnids,252; classtype: attempted-dos;) will cat packets like: 10.0.0.0:1024 -> 1.2.3.4:37123 I think the intent of the rules was to look for source ports LESS than 1024. Thanks, Phil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8 rules Phil Wood (May 24)
- Re: snort 1.8 rules Phil Wood (May 24)