[Snort-users] flowbits - checking multiple bits being set to create alerting

Eoin Miller eoin.miller at ...14586...
Mon Jun 13 13:51:17 EDT 2011


Experimenting in the lab and wondering about a rule checking two 
flowbits in order to fire. It appears that checking multiple flowbits 
within a single rule alerts using OR instead of AND? Just seems weird 
that all other things in the rule to be true in order for the rule to 
fire except for multi-flowbit checking?

Example:
alert any any -> any any (msg:"Both flowbits set"; 
flowbits:isset,flowbit.numberone; flowbits:isset,flowbit.numbertwo; 
classification:misc-activity; sid:1; rev:1;)

-- Eoin




More information about the Snort-users mailing list