[Snort-users] flowbits - checking multiple bits being set to create alerting

Patrick Mullen pmullen at ...1935...
Tue Jun 14 12:37:58 EDT 2011


Could you send a pcap and the three rules (the rule below and the two
flowbit setting rules) to me that demonstrate this behavior?  If what
you describe is correct, this is a bug and we need to correct it.  The
way the rules language works, the flowbit checks as described below
should be an AND-type series of checks.



On Mon, Jun 13, 2011 at 1:51 PM, Eoin Miller
<eoin.miller at ...14586...> wrote:
> Experimenting in the lab and wondering about a rule checking two
> flowbits in order to fire. It appears that checking multiple flowbits
> within a single rule alerts using OR instead of AND? Just seems weird
> that all other things in the rule to be true in order for the rule to
> fire except for multi-flowbit checking?
> Example:
> alert any any -> any any (msg:"Both flowbits set";
> flowbits:isset,flowbit.numberone; flowbits:isset,flowbit.numbertwo;
> classification:misc-activity; sid:1; rev:1;)
> -- Eoin
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please see http://www.snort.org/docs for documentation

More information about the Snort-users mailing list