[Snort-users] fragbits option

Wirth, Jeff WirthJe at ...4876...
Wed Mar 27 12:36:20 EST 2002


> I'm testing using the fragbits option and have read the doc on writing
> rules. I'm trying to figure out my options when using the fragbits option.
> When is a "+" sign used and when is it not? For example, what's the
> difference between:
>
> fragbits: D
>
> and
>
> fragbits: D+

The "+" tells snort to look for the specified fragment or reserve bit plus
any other.  

examples:

fragbits: D -> ONLY the "Don't Fragment" flag
fragbits: D+ -> "Don't Fragment" flag PLUS any other i.e. RB - "Reserved
Bit"

Hope this helps,

- Jeff




More information about the Snort-users mailing list