Snort mailing list archives
Problems on how to use Option flowbits
From: Luo Xin <kingsleyluoxin () hotmail com>
Date: Wed, 12 Apr 2017 03:31:02 +0000
alert tcp any any -> $HOME_NET any (msg: "State 1"; GID: 1; sid: 10000001; flags: S; flowbits: isnotset, S1; flowbits: set, S1;) alert tcp $HOME_NET any -> any any (msg: "State 2"; GID: 1; sid: 10000002; flags: SA; flowbits: isset, S1; flowbits: set, S2;) alert tcp any any -> $HOME_NET any (msg: "State 3"; GID: 1; sid: 10000003; flags: A; flowbits: isset, S2; flowbits: set, S3;) Above are my simple rules to build a simple state machine for the initialization for TCP connection. But if I want to use this model to detect syn_flood attacks, what will be needed to do? That is, how can I use rules to describe the situation that is not accepted by the state machine described in a handful snort rules? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problems on how to use Option flowbits Luo Xin (Apr 11)