[Snort-users] flowbits - checking multiple bits being set to create alerting
eoin.miller at ...14586...
Mon Jun 13 13:51:17 EDT 2011
Experimenting in the lab and wondering about a rule checking two
flowbits in order to fire. It appears that checking multiple flowbits
within a single rule alerts using OR instead of AND? Just seems weird
that all other things in the rule to be true in order for the rule to
fire except for multi-flowbit checking?
alert any any -> any any (msg:"Both flowbits set";
classification:misc-activity; sid:1; rev:1;)
More information about the Snort-users