Snort mailing list archives
Re: Flags in snort rules
From: Bill McCarty <bmccarty () apu edu>
Date: Sun, 17 Mar 2002 17:48:04 -0800
Hi Brian,So, I must be misreading the packet trace. In any case, I changed the rule to "flags:SA!;". Apparently, that has the same meaning as "flags:S;". So, I seem to have what I want.
Thanks! --On Sunday, March 17, 2002 8:16 PM -0500 Brian <bmc () snort org> wrote:
According to Bill McCarty:I'm trying to code a Snort rule that will match packets having the SYN flag set but the ACK flag not set. It seemed to me that "flags:S;" would do this. But, looking at packet traces seems to indicate that such a rule matches packets with the SYN flag set, irrespective of the state of the ACK flag. Have I coded the rule incorrectly, read the packet traces incorrectly, or both?using "flags:S;" looks for packets with JUST the SYN flag. "flags:S+"; looks for packets with the SYN flag and may include any other flag.
--------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flags in snort rules Bill McCarty (Mar 17)
- Re: Flags in snort rules Brian (Mar 19)
- Re: Flags in snort rules Bill McCarty (Mar 17)
- Re: Flags in snort rules Brian (Mar 19)