Snort mailing list archives
Re: flowbits - checking multiple bits being set to create alerting
From: Patrick Mullen <pmullen () sourcefire com>
Date: Tue, 14 Jun 2011 12:37:58 -0400
Eoin, Could you send a pcap and the three rules (the rule below and the two flowbit setting rules) to me that demonstrate this behavior? If what you describe is correct, this is a bug and we need to correct it. The way the rules language works, the flowbit checks as described below should be an AND-type series of checks. Thanks, ~Patrick On Mon, Jun 13, 2011 at 1:51 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:
Experimenting in the lab and wondering about a rule checking two flowbits in order to fire. It appears that checking multiple flowbits within a single rule alerts using OR instead of AND? Just seems weird that all other things in the rule to be true in order for the rule to fire except for multi-flowbit checking? Example: alert any any -> any any (msg:"Both flowbits set"; flowbits:isset,flowbit.numberone; flowbits:isset,flowbit.numbertwo; classification:misc-activity; sid:1; rev:1;) -- Eoin ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- flowbits - checking multiple bits being set to create alerting Eoin Miller (Jun 13)
- Re: flowbits - checking multiple bits being set to create alerting Patrick Mullen (Jun 14)
- Re: flowbits - checking multiple bits being set to create alerting Eoin Miller (Jun 15)
- Re: flowbits - checking multiple bits being set to create alerting Patrick Mullen (Jun 14)