[Snort-users] porno rules
mkettler at ...4108...
Tue Apr 29 18:59:05 EDT 2003
At 05:10 PM 4/29/2003 -0700, Bryan Irvine wrote:
>I've figured it out.
>I changed this "flow:to_client,established;" to this "flags:A+;"
>I'm very new to snort. I installed it for the first time right before
>2.0-release came out. What do these 2 options do?
The packet must be flowing to the client half of the TCP 3 way handshake
(ie: the one that started the connection in the first place) and must be in
an established state (ie: not part of the 3 way handshake or the teardown
Note that flows seem to require that stream4 be enabled to work correctly.
The packet must have the TCP ack bit set. Other bits may be set as well and
are treated as "don't care". This has a somewhat similar effect to the
"established" part of the flow, but it's stateless so it will also match a
"stray ack packet" that isn't associated with an existing connection.
More information about the Snort-users