[Snort-users] Flags in snort rules

Bill McCarty bmccarty at ...5196...
Sun Mar 17 17:49:07 EST 2002


Hi Brian,

So, I must be misreading the packet trace. In any case, I changed the rule 
to "flags:SA!;". Apparently, that has the same meaning as "flags:S;". So, I 
seem to have what I want.

Thanks!

--On Sunday, March 17, 2002 8:16 PM -0500 Brian <bmc at ...950...> wrote:

> According to Bill McCarty:
>> I'm trying to code a Snort rule that will match packets having the SYN
>> flag  set but the ACK flag not set. It seemed to me that "flags:S;"
>> would do  this. But, looking at packet traces seems to indicate that
>> such a rule  matches packets with the SYN flag set, irrespective of the
>> state of the ACK  flag.
>>
>> Have I coded the rule incorrectly, read the packet traces incorrectly,
>> or  both?
>
> using "flags:S;" looks for packets with JUST the SYN flag.
> "flags:S+"; looks for packets with the SYN flag and may include any
> other flag.

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list