|
|
|
|
Snort Forums Archive
Archive Home » Snort Advanced » Stream4 and SYN flags
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Stream4 and SYN flags
Posted by maverick on March 14, 2005 13:30:41
Is it possible to make generic signatures like an SSH connection ( something similar to "alert TCP $EXTERNAL_NET any -> $HOME_NET 22 (flags:S+;)") work with the Stream4 preprocessor? Commenting out the flags portion of the rule or the Stream4 preprocessor will trigger the appropriate events, but if both are present, the rule will not trigger. Are generic, broad rules a sacrifice made with using stream4? |
|
Posted by roesch on March 15, 2005 05:56:50
Add a "stateless" keyword to the rule and it should work.
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (flags: S+; stateless; msg: "SSH connection";)
-Marty
|
|
Posted by maverick on March 15, 2005 06:14:55
Thanks Marty. Gotta bone up on my non-payload detection options. |
|
Posted by bdinello on March 16, 2005 11:53:15
test
test |
|
Posted by bdinello on March 16, 2005 11:54:45
|
|
Posted by bdinello on March 16, 2005 11:56:04
test
tdfre
|
|
Posted by bdinello on March 16, 2005 11:57:18
Bold
Italics
Tahoma
|
|
|
|
|
|
