Snort mailing list archives
"trons" Rules
From: dr.kaos <dr.kaos () kaos to>
Date: Fri, 1 Mar 2002 00:42:40 -0500
Hmmmmm. Anbody else find this interesting? trons, huh...
From BugTraq in a response re: missing blackice signatures and a
means by which to make blackice log certain attacks... ./dr.k [...snip...] "I can't recommend you use this feature, but it may be interesting for entertainment purposes. Add the following lines to the "blackice.ini" file: trons = enabled trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;) trons.filename = trons-needs-filename-even-if-dont-exist I can't stress enough that this feature is unsupported and that you can't get any help from us about this feature at this time. However, you might find documentation somewhere on the net :-). As a user, I added those lines and transmitted the packet described in the NtWaK0 message, and BlackICE triggered on it." Robert Graham Internet Security Systems PS: I'll be putting up a small TRONS document up on my personal website tomorrow. The link will be: http://robertgraham.com/pubs/ids/trons.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "trons" Rules dr . kaos (Feb 28)
- RE: "trons" Rules Jason Lewis (Feb 28)
- <Possible follow-ups>
- RE: "trons" Rules Lampe, John W. (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- Re: "trons" Rules Jeff Nathan (Mar 02)
- Re: "trons" Rules dr . kaos (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- RE:"trons" Rules counter . spy (Mar 01)
- RE:"trons" Rules counter . spy (Mar 02)
- Re: "trons" Rules Fyodor (Mar 02)
- RE:"trons" Rules counter . spy (Mar 02)
- RE: "trons" Rules Kohlenberg, Toby (Mar 02)
- Re: "trons" Rules Fyodor (Mar 03)