Re: SNORT keywork to check TCP window size

[Phil Wood <cpw () lanl gov>]

On Wed, Sep 12, 2001 at 04:19:22PM +0100, Alberto Grazi wrote:
> I've actually found something in the changelog which says it is possible
> to check it but there is no mention at all in the documentation... Can
> anyone help ?

alert tcp any any -> any any (msg: "window is zero"; window: 0;)

> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/ChangeLog?rev
> =1.13&content-type=text/vnd.viewcvs-markup
>
> /* $Id: ChangeLog,v 1.13 2001/08/15 05:54:35 roesch Exp $ */
> [...]
>
> 2001-04-19 bmc <bmc () mitre org>
> [...]
>     * added sp_tcp_win_check.  TCP Window Size can be looked now 
>
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Alberto
> Grazi
> Sent: 13 September 2001 00:42
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] SNORT keywork to check TCP window size
>
>
> Hi, 
> does anyone know how to check the window size of a TCP packet in a SNORT
> rule? 
> I've been looking in the documentation and on the Net but I haven't
> found it yet... there has to be a way, it's written in the changelog!
>
> Any help is appreciated.
> Regards
> Alberto Grazi
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users