[Snort-users] porno rules

Matt Kettler mkettler at ...4108...
Tue Apr 29 18:59:05 EDT 2003

At 05:10 PM 4/29/2003 -0700, Bryan Irvine wrote:
>I've figured it out.
>I changed this "flow:to_client,established;" to this "flags:A+;"
>I'm very new to snort. I installed it for the first time right before
>2.0-release came out.  What do these 2 options do?


The packet must be flowing to the client half of the TCP 3 way handshake 
(ie: the one that started the connection in the first place) and must be in 
an established state (ie: not part of the 3 way handshake or the teardown 

Note that flows seem to require that stream4 be enabled to work correctly.


The packet must have the TCP ack bit set. Other bits may be set as well and 
are treated as "don't care". This has a somewhat similar effect to the 
"established" part of the flow, but it's stateless so it will also match a 
"stray ack packet" that isn't associated with an existing connection.

