Changeset 1720

Show
Ignore:
Timestamp:
11/27/06 22:08:38 (2 years ago)
Author:
mbr
Message:

replaced dsize:>20 criteria with psad_dsize:>100 in 'BAD-TRAFFIC data in TCP SYN packet' to make sure to get past TCP options (Which are included with the SYN packet)

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • psad/trunk/signatures

    r1709 r1720  
    189189alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; classtype:misc-activity; sid:524; psad_id:100101; psad_dl:2;) 
    190190alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; psad_id:100102; psad_dl:2;) 
    191 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; dsize:>20; flags:S; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:207; psad_id:100000; psad_dl:2;) 
     191alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; psad_dsize:>100; flags:S; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:207; psad_id:100000; psad_dl:2;) 
    192192### traffic may be logged over the loopback interface via iptables 
    193193### much more readily than running Snort on a loopback interface,