"trons" Rules

[dr.kaos <dr.kaos () kaos to>]

Hmmmmm. Anbody else find this interesting?  trons, huh...

> From BugTraq in a response re: missing blackice signatures and a 
means by which to make blackice log certain attacks...

./dr.k

[...snip...]

"I can't recommend you use this feature, but it may be interesting 
for entertainment purposes. Add the following lines to the 
"blackice.ini" file:

trons = enabled
trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;)
trons.filename = trons-needs-filename-even-if-dont-exist

I can't stress enough that this feature is unsupported and that 
you can't get any help from us about this feature at this time. 
However, you might find documentation somewhere on the net :-).
As a user, I added those lines and transmitted the packet
described in the NtWaK0 message, and BlackICE triggered on it."

Robert Graham
Internet Security Systems

PS: I'll be putting up a small TRONS document up on my personal
website tomorrow. The link will be:
http://robertgraham.com/pubs/ids/trons.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users