Posted By:
karim_aloui
Posted On:
Wednesday, July 21, 2004 11:11 AM
hi, My input is : "{ event syn : tcp any any -> any any (flags :S;) switch{ case event synack : tcp any any -> any any (flags : SA;) match : opposite_tcp_flow(syn, synack) assert : open_port (syn.ip.destination_address, syn.tcp.destination_port) timeout : syn + 2 sec case event rst: tcp any any->any any(flags: SA;) match : opposite_tcp_flow(syn, rst) assert : closed_port (syn.ip.destination_address, syn.tcp.destination_port) timeout : syn + 2 sec default match : host_up(syn.ip.destination_address) assert : filtered_port (syn.ip.destination_address, syn.tcp.destina
More>>
hi,
My input is :
"{
event syn : tcp any any -> any any (flags :S;)
switch{
case event synack : tcp any any -> any any
(flags : SA;)
match : opposite_tcp_flow(syn, synack)
assert : open_port
(syn.ip.destination_address,
syn.tcp.destination_port)
timeout : syn + 2 sec
case event rst: tcp any any->any any(flags: SA;)
match : opposite_tcp_flow(syn, rst)
assert : closed_port
(syn.ip.destination_address,
syn.tcp.destination_port)
timeout : syn + 2 sec
default match : host_up(syn.ip.destination_address)
assert : filtered_port
(syn.ip.destination_address,
syn.tcp.destination_port)
}"
I want to separate the block "event" and the block "swich".
My input must be like this :
"event syn : tcp any any -> any any (flags :S;)"
"switch{
case event synack : tcp any any -> any any
(flags : SA;)
match : opposite_tcp_flow(syn, synack)
assert : open_port
(syn.ip.destination_address,
syn.tcp.destination_port)
timeout : syn + 2 sec
case event rst: tcp any any->any any(flags: SA;)
match : opposite_tcp_flow(syn, rst)
assert : closed_port
(syn.ip.destination_address,
syn.tcp.destination_port)
timeout : syn + 2 sec
default match : host_up(syn.ip.destination_address)
assert : filtered_port
(syn.ip.destination_address,
syn.tcp.destination_port)"
I want to have a solution for my problem. please tell me yours ideas. That goes surely help me.
Thanks for your help!!
Karim
<<Less
