Re: fragbits option

[Erek Adams <erek () theadamsfamily net>]

On Wed, 27 Mar 2002, Sheahan, Paul (PCLN-NW) wrote:

> I'm testing using the fragbits option and have read the doc on writing
> rules. I'm trying to figure out my options when using the fragbits option.
> When is a "+" sign used and when is it not? For example, what's the
> difference between:
>
> fragbits: D
>
> and
>
> fragbits: D+

I'm looking at the PDF version of the SnortUsers Manual.  Section 2.3.7
Fragbits:

  "You can also use these modifers to indicate logical match critera for the
specified bits:  [Note: I think this was supposed to be in a table/list
instead of on one line...]
        *  +  -- ALL flag, Match on specified bits plus any others
        *  *  -- ANY flag, Match if any of the specified bits are set
        *  !  -- NOT flag, Match if the specified bits are not set."

(The first * on each line is just a marker, to show bullet style items.)

> And are there other symbols besides "+" that can be used? The docs are not
> very clear on this......

Yes, see above.

So to answer your question:

        fragbits: D  == Match only if the flag on the packet is D and nothing
else.  D and D only.

        fragbits: D+  == Match if the flag(s) on the packet are a D and
anything else.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users