[Snort-users] porno rules

Matt Kettler mkettler at ...4108...
Tue Apr 29 18:59:05 EDT 2003


At 05:10 PM 4/29/2003 -0700, Bryan Irvine wrote:
>I've figured it out.
>
>I changed this "flow:to_client,established;" to this "flags:A+;"
>
>I'm very new to snort. I installed it for the first time right before
>2.0-release came out.  What do these 2 options do?

flow:to_client,established:

The packet must be flowing to the client half of the TCP 3 way handshake 
(ie: the one that started the connection in the first place) and must be in 
an established state (ie: not part of the 3 way handshake or the teardown 
sequence).

Note that flows seem to require that stream4 be enabled to work correctly.

flags:A+:

The packet must have the TCP ack bit set. Other bits may be set as well and 
are treated as "don't care". This has a somewhat similar effect to the 
"established" part of the flow, but it's stateless so it will also match a 
"stray ack packet" that isn't associated with an existing connection.










More information about the Snort-users mailing list