Question on acid - Rules question

[Snow Jacob C KPWA <JacobSC () kpt nuwc navy mil>]

On the page for unique ip link what is that testing?  Does it check for a
syn and then an ack coming back or what is the criteria for this?  Trying to
get a list of syn that are going out of my network that also receive an ack
back I have a rule that checks for the outgoing syn:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
Outbound";flags:S;tag:session,2,packets;)

 

Is there a way to modify the rule to make sure it gets an ack back and then
set off the alert, kinda like an if statement or something?

 

I am doing this to document what ports/addresses are going out of our
network and on which ports.  Any help would be good, so that I don't have to
just go through all the log files by hand myself.

 

Thank you,

 

Jacob Snow

jacobsc () kpt nuwc navy mil <mailto:jacobsc () kpt nuwc navy mil> 

(360)315-3487

NAVSEA Intern