Snort mailing list archives
Re: BAD TRAFFIC data in TCP SYN packet
From: Brian <bmc () snort org>
Date: Wed, 26 Feb 2003 10:00:06 -0500
On Tue, Feb 25, 2003 at 10:25:20AM -0500, Keith Pachulski wrote:
bad rule bad-traffic.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC data in TCP SYN packet"; flags:S; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526; classtype:misc-activity; rev:4;) the rule lacks the tcp ports noted in the cert advisory
Seeing data in the payload is STILL bad, regardless of the ports stated in the CERT advisory. Obviously, nobody has ever changed the port on a malicious tool. The reference is there to provide you with an idea of what is going on and an example of its malicious usage. -brian ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- <Possible follow-ups>
- RE: BAD TRAFFIC data in TCP SYN packet Keith Pachulski (Feb 25)
- Re: BAD TRAFFIC data in TCP SYN packet Phil Wood (Feb 25)
- Re: BAD TRAFFIC data in TCP SYN packet Brian (Feb 26)
- BAD TRAFFIC data in TCP SYN packet Ron Shuck (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet Coyle, Brian (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)