Consider the example Snort rule given below to detect a SYN-FINattack. Assuming this rule isused on a Snort Inline IPS, how wouldyou modify the rule to block such packets entering the homenetwork?
Alert tcp $EXTERNAL_NET any -> $HOME_NET any
( msg : “SCAN SYN FIN”; flags: SF, 12;
reference: arachnids, 198; classtype : attempted-recon;)
Expert Answer
An answer will be send to you shortly. . . . .