Friday, April 01, 2005

Detecting attacks in RFC3514-compliant traffic

Those of you who run RFC3514-compliant networks might be interested in this snort rule I wrote. It has an unusually good detection rate, with very low false positive and false negative rates. So far it's working well for me, so I thought I'd share it:

alert ip any any -> any any (msg:"RFC 3514 Attack Traffic Detected"; fragbits:R; classtype:misc-attack; sid:35140; rev:1;)

No comments: