Snort mailing list archives
[PATCH]: RFC3514 Support for simplifying the task of detecting Evil.
From: Joshua Kinard <kumba () gentoo org>
Date: Sun, 01 Apr 2012 05:17:47 -0400
Hi snort-devel, The attached patch introduces RFC3514 support (The Security Flag in the IPv4 Header) into Snort. Also known as the "Evil Bit", support of this flag greatly simplifies the the task of detecting network traffic with evil intentions. Entire rulesets can be replaced by one, single rule: alert ip any any <> any any (msg:"Evil Network Traffic Detected!"; fragbits:E; sid:42003514; rev:1; gid:1; classtype:bad-unknown;) More information on this oft-overlooked RFC can be found here: http://www.ietf.org/rfc/rfc3514.txt Cheers! :) -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
snort-2.9.2.2-rfc3514-support.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH]: RFC3514 Support for simplifying the task of detecting Evil. Joshua Kinard (Apr 01)
- Re: [PATCH]: RFC3514 Support for simplifying the task of detecting Evil. Steve Sturges (Apr 01)
- Re: [PATCH]: RFC3514 Support for simplifying the task of detecting Evil. Joshua Kinard (Apr 01)
- Re: [PATCH]: RFC3514 Support for simplifying the task of detecting Evil. Steve Sturges (Apr 01)