RE: Signature Proposal: msg#00119 security.ids.snort.sigs

alert tcp $EXTERNAL_NET 0 -> $HOME_NET any (msg:"TCP Source Port of 0";)

alert udp $EXTERNAL_NET 0 -> $HOME_NET any (msg:"UDP Source Port of 0";)

That was easy.

-----Original Message-----
From: snort-sigs-admin@xxxxxxxxxxxxxxxxxxxxx [mailto:snort-sigs-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Holger Heimann
Sent: Monday, October 04, 2004 12:47 PM
To: 'snort-sigs@xxxxxxxxxxxxxxxxxxxxx'
Subject: [Snort-sigs] Signature Proposal

Hi Folks,

in addition to the signature 524 and 525 (tcp/udp destination port zero), we'd like to see similar Signatures with a source port of zero.

I've seen that on other IDS and it's been discussed in forensic und pentest forums also.

Thanks a lot,

Holger

--

it.sec GmbH & Co. KG      - Online Spam Filtering

Sedanstrasse 10/Geb. 17   - Worlds first Free Online Vulnerability Check:

D-89077 Ulm                 http://www.it-sec.de/freecheck.html

Fon: +49 (0)731/20589-0   - Professional Vulnerability Scans

Fax: +49 (0)731/20589-29    www.perisec.com

holger.heimann@xxxxxxxxx



www.it-sec.de             info@xxxxxxxxx

--------------------------------------------------

Previous by Date:	Re: Colin Slevin/TRANSWARE/IE is out of the office.: 00119, Matt Kettler
Next by Date:	Re: False Positive: 00119, Mark Buchanan
Previous by Thread:	Colin Slevin/TRANSWARE/IE is out of the office.i: 00119, Colin . Slevin
Next by Thread:	Signature Proposal: 00119, Holger Heimann
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>