Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort 1.8 rules

From: Phil Wood <cpw () lanl gov>
Date: Thu, 24 May 2001 14:33:06 -0600

Folks,

It appears that a rule like:

alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S; reference: 
arachnids,253;)

or

alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; reference: 
arachnids,252; classtype: attempted-dos;)

will cat packets like:

       10.0.0.0:1024 -> 1.2.3.4:37123

I think the intent of the rules was to look for source ports LESS than 1024.

Thanks,

Phil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: