Snort mailing list archives
Re: Maybe I'm missing something...
From: beenph <beenph () gmail com>
Date: Thu, 6 May 2010 00:01:47 -0400
Missed the colon not quite visible on my monitor, my bad. But beside that, alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet; sid:2002117; rev:5;) Seem's like ACK is set in reply (wireshark) flags:R,12; -> flags:+R,12 On Wed, May 5, 2010 at 11:50 PM, Will Metcalf <william.metcalf () gmail com> wrote:
Don't forget the colon...alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024:According to the example in the snort manual this means any port equal to or greater than 1024, 43844 > 1024. "log tcp any :1024 -> 192.168.1.0/24 500: log tcp traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500 " Regards, Will
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Maybe I'm missing something... Will Metcalf (May 05)
- Re: Maybe I'm missing something... beenph (May 05)
- Re: Maybe I'm missing something... Will Metcalf (May 05)
- Re: Maybe I'm missing something... beenph (May 05)
- Re: Maybe I'm missing something... Will Metcalf (May 05)
- Re: Maybe I'm missing something... beenph (May 05)
- Re: Maybe I'm missing something... Will Metcalf (May 05)
- Re: Maybe I'm missing something... Will Metcalf (May 05)
- Re: Maybe I'm missing something... beenph (May 05)