[Snort-users] fragbits option

Wirth, Jeff WirthJe at ...4876...
Wed Mar 27 12:36:20 EST 2002

> I'm testing using the fragbits option and have read the doc on writing
> rules. I'm trying to figure out my options when using the fragbits option.
> When is a "+" sign used and when is it not? For example, what's the
> difference between:
> fragbits: D
> and
> fragbits: D+

The "+" tells snort to look for the specified fragment or reserve bit plus
any other.  


fragbits: D -> ONLY the "Don't Fragment" flag
fragbits: D+ -> "Don't Fragment" flag PLUS any other i.e. RB - "Reserved

Hope this helps,

- Jeff

More information about the Snort-users mailing list