[Snort-users] Problems on how to use Option flowbits

Luo Xin kingsleyluoxin at ...125...
Tue Apr 11 23:31:02 EDT 2017

alert tcp any any -> $HOME_NET any (msg: "State 1"; GID: 1; sid: 10000001; flags: S; flowbits: isnotset, S1; flowbits: set, S1;)
alert tcp $HOME_NET any -> any any (msg: "State 2"; GID: 1; sid: 10000002; flags: SA; flowbits: isset, S1; flowbits: set, S2;)
alert tcp any any -> $HOME_NET any (msg: "State 3"; GID: 1; sid: 10000003; flags: A; flowbits: isset, S2; flowbits: set, S3;)

Above are my simple rules to build a simple state machine for the initialization for TCP connection. But if I want to use this model to detect syn_flood attacks, what will be needed to do? That is, how can I use rules to describe the situation that is not accepted by the state machine described in a handful snort rules?

More information about the Snort-users mailing list