[Snort-users] Problems on Flowbits Option

Al Lewis (allewi) allewi at ...589...
Tue Apr 11 22:25:56 EDT 2017


It will help if you provided an example. 

“My rules don’t work” isnt much to go on :-)


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 








On 4/11/17, 9:58 PM, "Luo Xin" <kingsleyluoxin at ...125...> wrote:

>
>
>I am trying to build a state machine for TCP or other protocols. But I don’t know why my rules donn’t work. ☹
>
>发件人: "Joel Esler (jesler)" <jesler at ...589...<mailto:jesler at ...589...>>
>日期: 2017年4月10日 星期一 下午11:55
>至: Luo Xin <kingsleyluoxin at ...125...<mailto:kingsleyluoxin at ...125...>>
>抄送: "snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
>主题: Re: [Snort-users] Problems on Flowbits Option
>
>Many people have done what you are trying to do.  What are you trying to do??
>
>
>--
>Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>
>
>
>
>
>
>On Apr 10, 2017, at 3:55 AM, Luo Xin <kingsleyluoxin at ...125...<mailto:kingsleyluoxin at ...125...>> wrote:
>
>Hello, everyone!
>
>
>I have been confused about the flowbits option. According to the snort manual, it is possible to use this option to implement a simple state machine. I have been trying to do that, but my tries prove to be failure. I have been wondering if I have wrong understanding about this flowbits option.
>
>
>Is there anybody that has ever used flowbits option to implement a protocol state machine? If any, would you please be so kind as to help me solve my puzzles?
>
>
>Any help shall be appreciated .
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list