Snort mailing list archives
Re: What wins? TCP headers or packet contents?
From: John Sage <jsage () finchhaven com>
Date: Fri, 13 Sep 2002 21:51:01 -0700
Good golly, miss molly... At least someone was paying attention. On Thu, Sep 12, 2002 at 08:31:27PM -0400, Chris Green wrote:
John Sage <jsage () finchhaven com> writes:Let me bring the question up to the top:
<snip the question, 'cause there wasn't really one>
Let's chop up this mail a bit. There's no notion of what wins because it's a logical AND of the portions in the rule header and in the rule options list. The rule: "Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET port 32770 or above and look for Foo flags with a content of OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278; rev:3;) <snip>
arf.. Oh. Yeah. That *semicolon* after "32770".. heh.. yeah.. *That* semicolon. heh.. hmm.. Thanks, Chris. That's why you get paid the big bucks (I hope)! - John -- "Obviously, we do not want to leave zombies around." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What wins? TCP headers or packet contents? John Sage (Sep 10)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: What wins? TCP headers or packet contents? Chris Green (Sep 12)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 14)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)