Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problems on how to use Option flowbits

From: Luo Xin <kingsleyluoxin () hotmail com>
Date: Wed, 12 Apr 2017 03:31:02 +0000
alert tcp any any -> $HOME_NET any (msg: "State 1"; GID: 1; sid: 10000001; flags: S; flowbits: isnotset, S1; flowbits: 
set, S1;)
alert tcp $HOME_NET any -> any any (msg: "State 2"; GID: 1; sid: 10000002; flags: SA; flowbits: isset, S1; flowbits: 
set, S2;)
alert tcp any any -> $HOME_NET any (msg: "State 3"; GID: 1; sid: 10000003; flags: A; flowbits: isset, S2; flowbits: 
set, S3;)

Above are my simple rules to build a simple state machine for the initialization for TCP connection. But if I want to 
use this model to detect syn_flood attacks, what will be needed to do? That is, how can I use rules to describe the 
situation that is not accepted by the state machine described in a handful snort rules?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: