Hosting Provided By

[Snort-sigs] Does rules 2159 make sense ?

From: Sean Wheeler <s.wheeler(at)netprotect.ch>
Date: Sun Mar 28 2004 - 11:25:05 EST

Hi,

I came across this rule where : flow:established & stateless flow options are set.

Does this make any sense as my interpretation would be the connection should be established but the state of the connection ( established or not) does not really matter

could someone please explain why and if this rule is correct.

alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type (0)"; flow:established; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|"; offset:0; depth:16; content:"|00|"; distance:2; within:1; stateless; classtype:bad-unknown; sid:2159; rev:4;)

Below the snippet from the 2.1.1 manual :

established trigger only on established TCP connections stateless trigger regardless of the state of the stream processor ( useful for packets that are designed to cause machines to crash )

regards

Do you need help?

Sean

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Mar 29 03:45:19 2004

This message: [ Message body ]
Next message: Sean Wheeler: "[Snort-sigs] some corrections to rules incorrectly refering to a reference resource not located in etc/reference.config"
Previous message: Jason Haar: "Re: [Snort-sigs] writing signatures from isolated viruses"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:39 EDT