A "Flowbits" issue

["tung tran" <tunghack () gmail com>]

Hi,
My question is:should we use "flowbits" to check a packet against
multiple rules or we only use "flowbits" to check next coming packets?
If we consider this rule:
R0: alert tcp 192.168.0.1 any -> any any (content:"logged
in";flowbits:set,logged_in",content:"username:tung",flowbits:set,tung_loginned)
which marks the flow as: the specific user "tung" has logged in.
Can we split this rule into these 2 rules:
R1: alert tcp 192.168.0.1 any -> any any (content:"logged
in";flowbits:set,logged_in;flowbits:noalert)
R2: alert tcp 192.168.0.1 any -> any any
(content:"username:tung";flowbits:isset,logged_in",flowbits:set,tung_loggined)
Do we normally write rules this way when we use "flowbits"? Is there
any situation where we should  split a rule when "flowbits" is used?
The problem I see when using "flowbits" to check a packet against
multiple rules is the rule triggering order might cause problem. In
the example above, if R1 is triggered before R2, these 2 rules do the
same thing as rule R0, however, if R2 is triggered before R1, these 2
rules do'nt function as we expect.
Any idea about this "flowbits" issuse?
Thank you very much,
Tung

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users