[Snort-users] fragbits option
erek at ...577...
Wed Mar 27 12:06:11 EST 2002
On Wed, 27 Mar 2002, Sheahan, Paul (PCLN-NW) wrote:
> I'm testing using the fragbits option and have read the doc on writing
> rules. I'm trying to figure out my options when using the fragbits option.
> When is a "+" sign used and when is it not? For example, what's the
> difference between:
> fragbits: D
> fragbits: D+
I'm looking at the PDF version of the SnortUsers Manual. Section 2.3.7
"You can also use these modifers to indicate logical match critera for the
specified bits: [Note: I think this was supposed to be in a table/list
instead of on one line...]
* + -- ALL flag, Match on specified bits plus any others
* * -- ANY flag, Match if any of the specified bits are set
* ! -- NOT flag, Match if the specified bits are not set."
(The first * on each line is just a marker, to show bullet style items.)
> And are there other symbols besides "+" that can be used? The docs are not
> very clear on this......
Yes, see above.
So to answer your question:
fragbits: D == Match only if the flag on the packet is D and nothing
else. D and D only.
fragbits: D+ == Match if the flag(s) on the packet are a D and
Hope that helps!
More information about the Snort-users