[Snort-users] Flags in snort rules

Brian bmc at ...950...
Tue Mar 19 05:07:20 EST 2002


According to Bill McCarty:
> I'm trying to code a Snort rule that will match packets having the SYN flag 
> set but the ACK flag not set. It seemed to me that "flags:S;" would do 
> this. But, looking at packet traces seems to indicate that such a rule 
> matches packets with the SYN flag set, irrespective of the state of the ACK 
> flag.
> 
> Have I coded the rule incorrectly, read the packet traces incorrectly, or 
> both?

using "flags:S;" looks for packets with JUST the SYN flag.
"flags:S+"; looks for packets with the SYN flag and may include any
other flag.

-brian

-- 
There is no spoon.




More information about the Snort-users mailing list