[Snort-users] Problems on Flowbits Option

Luo Xin kingsleyluoxin at ...125...
Tue Apr 11 21:58:36 EDT 2017

I am trying to build a state machine for TCP or other protocols. But I don’t know why my rules donn’t work. ☹

发件人: "Joel Esler (jesler)" <jesler at ...589...<mailto:jesler at ...589...>>
日期: 2017年4月10日 星期一 下午11:55
至: Luo Xin <kingsleyluoxin at ...125...<mailto:kingsleyluoxin at ...125...>>
抄送: "snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
主题: Re: [Snort-users] Problems on Flowbits Option

Many people have done what you are trying to do.  What are you trying to do??

Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>

On Apr 10, 2017, at 3:55 AM, Luo Xin <kingsleyluoxin at ...125...<mailto:kingsleyluoxin at ...125...>> wrote:

Hello, everyone!

I have been confused about the flowbits option. According to the snort manual, it is possible to use this option to implement a simple state machine. I have been trying to do that, but my tries prove to be failure. I have been wondering if I have wrong understanding about this flowbits option.

Is there anybody that has ever used flowbits option to implement a protocol state machine? If any, would you please be so kind as to help me solve my puzzles?

Any help shall be appreciated .
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list