[Snort-users] newbie question about pass and alert directive

waldo kitty wkitty42 at ...14940...
Fri Feb 22 12:22:10 EST 2013

On 2/22/2013 04:27, . wrote:
> another question:
> writing these rules:
> 1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*;
> classtype:not-suspicious; sid:10000013; rev:1;)
> 2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";*flags:A*;
> content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;)
> the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore
> every tcp packet with flag ACK active ?

no... the first rules doesn't tell snort to do anything other than alert based 
on the ACK flag... the second rule will fire if there is content "bogus trojan" 
and the ACK flag... the question is will such a packet as the second rule is 
looking for exist...

More information about the Snort-users mailing list