Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Error on new Rule

From: James Riden <j.riden () massey ac nz>
Date: Thu, 17 Mar 2005 08:22:01 +1300
"Kendall Risselada" <krisselada () farm9 com> writes:


As udp protocol is stateless, I don't know how this would be
implemented


Send an ICMP destination/host/port unreachable with spoofed source
address, which is what you would get if the port were really closed.

For UDP you should use the latter group, and for TCP the former, IIRC:

    rst_snd    send TCP-RST packets to the sending socket
    rst_rcv    send TCP-RST packets to the receiving socket
    rst_all    send TCP_RST packets in both directions

    icmp_net   send a ICMP_NET_UNREACH to the sender
    icmp_host  send a ICMP_HOST_UNREACH to the sender
    icmp_port  send a ICMP_PORT_UNREACH to the sender
    icmp_all   send all above ICMP packets to the sender

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: