Re: Rule construction

[Bill McCarty <bmccarty () apu edu>]

After some experimentation, it seems that the NOT operator cannot be 
applied to a single flag. Instead, it applies to the entire set of 
specified flags.

So, it appears that two rules must be used:

>   flags:A
>   flags:AP

This DOES work, though perhaps there's a less wordy way to accomplish the 
same goal.

--On Sunday, March 24, 2002 10:15 AM -0800 Bill McCarty <bmccarty () apu edu> 
wrote:

> I want to create a TCP rule that expects the SYN flag to be off, the ACK
> flag to be on, and doesn't care about remaining flags, including PSH in
> particular. I think that such a rule requires the NOT operator (!). But,
> it's not clear whether that operator is prefix or postfix, etc. And, I
> don't find an example of its use in the rule set I'm using. So, I'm
> unsure.
>
> Q: Is the proper syntax "flags:S!A+; "?

---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users