[Snort-users] Flags in snort rules
bmc at ...950...
Tue Mar 19 05:07:20 EST 2002
According to Bill McCarty:
> I'm trying to code a Snort rule that will match packets having the SYN flag
> set but the ACK flag not set. It seemed to me that "flags:S;" would do
> this. But, looking at packet traces seems to indicate that such a rule
> matches packets with the SYN flag set, irrespective of the state of the ACK
> Have I coded the rule incorrectly, read the packet traces incorrectly, or
using "flags:S;" looks for packets with JUST the SYN flag.
"flags:S+"; looks for packets with the SYN flag and may include any
There is no spoon.
More information about the Snort-users