Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Any way to do something like "Flowbits, " but for othe

from [M. Shirk] Network Security [Permanent Link]
Subject: Re: [Snort-users] Any way to do something like "Flowbits, " but for other than a TCP stream?
Date: Fri, 16 Nov 2007 11:15:48 -0500 
You could do a chain of flowbits sure.

make another rule, set a flowbit:proto103sucks; on the proto 77 packet in the 
first signature, then check the proto103sucks bit on the proto103 packet. 

Shirkdog
' or 1=1-- 

http://www.shirkdog.us


Date: Thu, 15 Nov 2007 16:02:03 -0500
From: Stephen.Bachelor.ctr@socom.mil
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Any way to do something like "Flowbits,        " but 
for other than a TCP stream?


My problem is false positives on rule 1:2189, Bad-Traffic IP Proto 103.
To exploit the vulnerability, one must send 4 packets, with successive
protocol types: 53, 55, 77, and 103. The Snort rule only seems to look
for proto_id: 103, and it's creating thousands of false positives for
me. How can I make it trigger on 103 only if there's been a proto_id: 77
to the same destination, one packet earlier? As far as I can tell,
threshholding rules aren't quite flexible enough to help.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Climb to the top of the charts!  Play Star Shuffle:  the word scramble 
challenge with star power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_oct
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] typo on snort280 manual pdf "rereference" page 129, rmkml
Next by Date:  [Snort-users] Regarding pattern Matching, Govind
Previous by Thread:  [Snort-users] Any way to do something like "Flowbits, " but for other than a TCP stream?, Bachelor, Stephen A CTR USSOCOM HQ
Next by Thread:  [Snort-users] Sensor 'sanity', Paul Halliday
Indexes:  [Date] [Thread] [Top] [All Lists]