Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What wins? TCP headers or packet contents?

From: John Sage <jsage () finchhaven com>
Date: Fri, 13 Sep 2002 21:51:01 -0700
Good golly, miss molly...

At least someone was paying attention.

On Thu, Sep 12, 2002 at 08:31:27PM -0400, Chris Green wrote:

John Sage <jsage () finchhaven com> writes:


Let me bring the question up to the top:


<snip the question, 'cause there wasn't really one>


Let's chop up this mail a bit. There's no notion of what wins because
it's a logical AND of the portions in the rule header and in the rule
options list.

The rule:

"Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET
port 32770 or above and look for Foo flags with a content of
OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"


rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
sid:1278;  rev:3;)
<snip>


arf..

Oh. Yeah. That *semicolon* after "32770".. heh.. yeah..

*That* semicolon. heh.. hmm..


Thanks, Chris.

That's why you get paid the big bucks (I hope)!


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: