Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: newbie question about pass and alert directive

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 22 Feb 2013 12:22:10 -0500
On 2/22/2013 04:27, . wrote:

another question:

writing these rules:

1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*;
classtype:not-suspicious; sid:10000013; rev:1;)
2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";*flags:A*;
content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;)

the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore
every tcp packet with flag ACK active ?


no... the first rules doesn't tell snort to do anything other than alert based 
on the ACK flag... the second rule will fire if there is content "bogus trojan" 
and the ACK flag... the question is will such a packet as the second rule is 
looking for exist...

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: