[Snort-users] Rule construction

Bill McCarty bmccarty at ...5196...
Sun Mar 24 11:11:05 EST 2002

After some experimentation, it seems that the NOT operator cannot be 
applied to a single flag. Instead, it applies to the entire set of 
specified flags.

So, it appears that two rules must be used:

>   flags:A
>   flags:AP

This DOES work, though perhaps there's a less wordy way to accomplish the 
same goal.

--On Sunday, March 24, 2002 10:15 AM -0800 Bill McCarty <bmccarty at ...5196...> 

> I want to create a TCP rule that expects the SYN flag to be off, the ACK
> flag to be on, and doesn't care about remaining flags, including PSH in
> particular. I think that such a rule requires the NOT operator (!). But,
> it's not clear whether that operator is prefix or postfix, etc. And, I
> don't find an example of its use in the rule set I'm using. So, I'm
> unsure.
> Q: Is the proper syntax "flags:S!A+; "?

Bill McCarty

More information about the Snort-users mailing list