OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [Snort-users] Why flags PA?
From: Reckhard, Tobias (Reckhardsecunet.de)
Date: Tue Nov 28 2000 - 02:02:34 CST

Hi all.

We've got a student here, comparing different Intrusion Detection Systems,
snort being one of them. As an Open Source fan, I'm rather interested in the
latter, but haven't had the chance to check into it deeply yet.

Now he's been testing the IDS with CyberCop and noticed that snort didn't
pick up a lot of the simulated intrusions. Checking the snort signature
files, he noticed that most rules have the flags P (TCP PuSH) and A (TCP
ACK) set. Is there a good reason for this? He further noticed that some
CGI-BIN queries indeed involved packets with both of those TCP flags set
when using MS IE as a client. However, I suppose that a real attack would
probably involve packets crafted by hand or by a specialised attack tool,
which wouldn't need to set the PSH bit, at least. Snort wouldn't pick this
up, would it?

I'd be grateful for any insights. And sorry if this should be an FAQ, I've
just subscribed to this list two days ago..

Cheers 

-- 
Tobias Reckhard
secunet 
Security Networks AG       Tel   : +49(6196)95888-42
Mergenthalerallee 77       Fax   : +49(6196)95888-88
D-65760 Eschborn           E-Mail: reckhardsecunet.de

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users