[Snort-users] Rule construction

Bill McCarty bmccarty at ...5196...
Sun Mar 24 10:16:05 EST 2002


I want to create a TCP rule that expects the SYN flag to be off, the ACK 
flag to be on, and doesn't care about remaining flags, including PSH in 
particular. I think that such a rule requires the NOT operator (!). But, 
it's not clear whether that operator is prefix or postfix, etc. And, I 
don't find an example of its use in the rule set I'm using. So, I'm unsure.

Q: Is the proper syntax "flags:S!A+; "?

Thanks!

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list