[Snort-users] newbie question about pass and alert directive

. rlorenzo121 at ...11827...
Fri Feb 22 04:27:46 EST 2013

Hi folks,
I'm new about Snort and, reading docs... I can't find what I'm looking for
(maybe I've to be more concentrated)

if I want to ignore SYN+ACK, RST+ACK and ACK used for normal established
connection from my server to every host on internet, but I want to generate
an alert for every spurious ACK, RST generate from my server not belonging
to any ESTABLISHED connection.

So for what I understood, my rule will be:
alert tcp $HOME_NET any -> any any (msg:"test rule";
flow:from_server,not_established; classtype:not-suspicious; sid:10000012;

another question:

writing these rules:

1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*;
classtype:not-suspicious; sid:10000013; rev:1;)
2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";* flags:A*;
content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014;

the rule at point 2 will be ignored cause rule at point 1 tell snort to
ignore every tcp packet with flag ACK active ?

Thank you in advance for response,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130222/cebdbeea/attachment.html>

More information about the Snort-users mailing list