问题
I need to write a rule that captures the SYN-scanning.
I tried this: alert tcp any any -> any any (flags:S,12; msg:"SYN"; sid: 1231213;)
then try to scan: nmap -sS myIP but this does not output "SYN"
How to write a correct rule? Thanks.
回答1:
Try to change flags:S,12 to flags:S as the Snort manual states:
The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". The old values of '1' and '2' are still valid for the flag keyword, but are now deprecated.
So 12 will check if the two reserved bits are set which is probably not what you want. Also as I understand the documentation flags:S will match packets with only SYN set which should be correct in your case I guess. If you want to match some flags regardless of other flags you can use *.
来源:https://stackoverflow.com/questions/12916171/rule-for-capturing-syn-scanning