[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] Maybe I'm missing something...
From: Will Metcalf <william.metcalf () gmail ! com>
Date: 2010-05-06 2:17:36
Message-ID: j2wc13e433a1005051917qe1baf6baz82531ed5bd32c1c2 () mail ! gmail ! com
[Download RAW message or body]
But I think this rule should fire on the attached pcap. I realize
that this isn't the intended purpose of the rule but it illustrates
the point. This is using snort-2.8.5.3, please correct me if I'm
wrong.
Regards,
Will
alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES
Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype:
policy-violation;
reference:url,doc.emergingthreats.net/bin/view/Main/2002117;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet;
sid:2002117; rev:5;)
var HOME_NET [10.0.0.0/8,192.168.0.0/16,127.0.0.1]
var EXTERNAL_NET any
19:36:55.033713 IP 192.168.100.13.43844 > 192.168.2.35.6112: Flags
[S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
ecr 0,nop,wscale 7], length 0
19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.43844: Flags
[R.], seq 0, ack 261064611, win 0, length 0
["PSBattleNet.pcap" (application/cap)]
------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic