Changeset 1757

Show
Ignore:
Timestamp:
12/03/06 22:58:41 (2 years ago)
Author:
mbr
Message:

restored dsize to >20 since psad itself handles greater TCP header sizes for SYN packets now

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • psad/trunk/signatures

    r1739 r1757  
    193193alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; classtype:misc-activity; sid:524; psad_id:100101; psad_dl:2;) 
    194194alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; psad_id:100102; psad_dl:2;) 
    195 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; psad_dsize:>100; flags:S; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:207; psad_id:100000; psad_dl:2;) 
     195### note that psad derives the payload length of a TCP packet from the 
     196### IP header, so it treats TCP SYN packets (which contain options) as 
     197### being 44 bytes longer (this is the maximum possible) than other 
     198### TCP packets. 
     199alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; psad_dsize:>20; flags:S; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:207; psad_id:100000; psad_dl:2;) 
    196200### traffic may be logged over the loopback interface via iptables 
    197201### much more readily than running Snort on a loopback interface,