Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[PATCH]: RFC3514 Support for simplifying the task of detecting Evil.

From: Joshua Kinard <kumba () gentoo org>
Date: Sun, 01 Apr 2012 05:17:47 -0400

Hi snort-devel,

The attached patch introduces RFC3514 support (The Security Flag in the IPv4
Header) into Snort.  Also known as the "Evil Bit", support of this flag
greatly simplifies the the task of detecting network traffic with evil
intentions.  Entire rulesets can be replaced by one, single rule:

alert ip any any <> any any (msg:"Evil Network Traffic Detected!";
fragbits:E; sid:42003514; rev:1; gid:1; classtype:bad-unknown;)

More information on this oft-overlooked RFC can be found here:
http://www.ietf.org/rfc/rfc3514.txt


Cheers! :)

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: snort-2.9.2.2-rfc3514-support.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: