Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flags in snort rules

From: Brian <bmc () snort org>
Date: Sun, 17 Mar 2002 20:16:54 -0500
According to Bill McCarty:

I'm trying to code a Snort rule that will match packets having the SYN flag 
set but the ACK flag not set. It seemed to me that "flags:S;" would do 
this. But, looking at packet traces seems to indicate that such a rule 
matches packets with the SYN flag set, irrespective of the state of the ACK 
flag.

Have I coded the rule incorrectly, read the packet traces incorrectly, or 
both?


using "flags:S;" looks for packets with JUST the SYN flag.
"flags:S+"; looks for packets with the SYN flag and may include any
other flag.

-brian

-- 
There is no spoon.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: