On Tue, 2003-03-25 at 17:20, rmkml wrote: > How track tcp session and if session is not full open (Syn-SynAck-Ack) and my > box send tcp Reset ... flow:!established; ? > More complicated in udp proto .... true, need a way of tracking UDP 'connections' so that if packet goes from A -> B, then traffic from B -> A will be considered 'established' and ICMP traffic as 'related'. That would be easy enough but at the moment I'm not spending too much time implementing features that aren't part of the snort rulesets as they will only find limited use... -- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Attachment:
signature.asc
Description: This is a digitally signed message part