The Packet:
Transmission Control Protocol, Src Port: pptp (1723), Dst Port: 2428
(2428), Seq: 190, Ack: 2594307140, Len: 0
Source port: pptp (1723)
Destination port: 2428 (2428)
Sequence number: 190 (relative sequence number)
Header length: 20 bytes
Flags: 0x0004 (RST)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 0
Checksum: 0x7b63 [correct]
0000 00 01 80 3b 0a 93 08 00 20 9f f9 5d 08 00 45 00 ...;.... ..]..E.
0010 00 28 3f e3 40 00 38 06 8e 58 8e e3 25 07 c0 a8 .(?.@.8..X..%...
0020 00 02 06 bb 09 7c 86 7b 29 36 00 00 00 00 50 04 .....|.{)6....P.
0030 00 00 7b 63 00 00 55 55 55 55 55 55 ..{c..UUUUUU
The Rule:
alert tcp any any -> any any (msg:"PPTP: Connection Failed";
content:"|00 50 04|"; classtype:misc-activity; sid:1000001; rev:1;)
I know it shouldn't be 'any any' but I was trying to eliminate
possibilities as to why it wouldn't work. This also probably isn't the
best way to track this; I was just looking at the bleeding ssh
connection rule, and it uses flags. I am just playing around.
Thanks.
On 11/19/05, Jason Brvenik <jasonb@sourcefire.com> wrote:
On it's face that should work but there could be a number of problems
with the rule or the packet. Can you provide the actual packet and rule
you are testing with?
Paul Halliday wrote:
I am just trying to make a couple simple rules but they fail to fire.
Can someone just clarify this:
I am looking at a TCP packet with ethereal that looks like this:
06 bb 09 75 74 0c e2 c4 00 00 00 00 50 04 00 00 d4 4a 00
I want the rule to fire on the pattern 00 50 04
I have a rule that looks like:
content:"|00 50 04|"
yet it doesnt fire. Is there something that I have missed?
Thanks.
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id�845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users
--
_________________
Paul Halliday
http://pintumbler.com/
"Diplomacy is the art of saying "Nice doggie!" till you can find a rock."
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id�845&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
