[Snort-users] Flags rule option

Bill McCarty bmccarty at ...5196...
Thu Sep 26 17:23:03 EDT 2002

Hi all,

I have the following Snort rule:

alert tcp any any -> XXX.XXX.XXX.XXX 1024:65535 (flags:S+; flags:A!; 
msg:"Local suspicious inbound"; )

This rule matches the following datagram:

09/26/02-15:49:14.256645 YYY.YYY.YYY.YYY:80 -> XXX.XXX.XXX.XXX:24247
TCP TTL:237 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x2ED4C858 Ack: 0x0 Win: 0x0 TcpLen: 20

I think that both flags options must be matched in order for the rule as a 
whole to match. Yet, the matching datagram does not have the S flag set. 
What am I missing?


Bill McCarty

More information about the Snort-users mailing list