Snort mailing list archives
Alert Rule for Packet Crafting Tool
From: "Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>
Date: Sat, 10 Nov 2001 15:00:47 -0800
Hello Snorters, I am trying to write an alert rule for capturing possible packet crafting tools. For example, if I run HPING like so: hping -V -c 1 -S -p 21 host I will send a tcp packet to port 21 with the syn flag set and no tcp options with a data gram length of 40 bytes which is almost never seen from any operation system on an initial syn packet. Almost all if not all operating systems will set various tcp options for a data gram length of 44 to 60 bytes. I know how to do this with BPF filters and Snort, but the problem is if I run the BPF filter call along with the normal rules and the BPF filter triggers, I won't know what IP addressed folder holds the event that triggered the filter. I thought I could write a Snort alert rule for this using dsize, but dsize checks the packet data payload. Does anyone have any ideas? Thank you for your time and help. Brent Erickson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert Rule for Packet Crafting Tool Erickson Brent W KPWA (Nov 10)