Snort mailing list archives
newbie question about pass and alert directive
From: "." <rlorenzo121 () gmail com>
Date: Fri, 22 Feb 2013 10:27:46 +0100
Hi folks, I'm new about Snort and, reading docs... I can't find what I'm looking for (maybe I've to be more concentrated) if I want to ignore SYN+ACK, RST+ACK and ACK used for normal established connection from my server to every host on internet, but I want to generate an alert for every spurious ACK, RST generate from my server not belonging to any ESTABLISHED connection. So for what I understood, my rule will be: alert tcp $HOME_NET any -> any any (msg:"test rule"; flow:from_server,not_established; classtype:not-suspicious; sid:10000012; rev:1;) another question: writing these rules: 1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*; classtype:not-suspicious; sid:10000013; rev:1;) 2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";* flags:A*; content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;) the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore every tcp packet with flag ACK active ? Thank you in advance for response, Regards, Federico
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbie question about pass and alert directive . (Feb 22)
- Re: newbie question about pass and alert directive waldo kitty (Feb 22)
- Re: newbie question about pass and alert directive Jason Wallace (Feb 22)
- Re: newbie question about pass and alert directive waldo kitty (Feb 23)
- Re: newbie question about pass and alert directive Jason Wallace (Feb 22)
- Re: newbie question about pass and alert directive waldo kitty (Feb 22)