<div dir="ltr"><div>that and, discounting other typos, <span class="gmail-im">flags:S;flow:to_<wbr>server,established is very unlikely to trigger.<br><br></span></div><span class="gmail-im">--r<br></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 23, 2017 at 7:49 PM, Jason Hellenthal <span dir="ltr"><<a href="mailto:jhellenthal@dataix.net" target="_blank">jhellenthal@dataix.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What is “sencond” ? I suspect this is your problem.<br>
<br>
<br>
> On Oct 23, 2017, at 09:43, nguyen cao via Snort-users <<a href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>> wrote:<br>
><br>
> <Untitled.png><br>
<span class="">> ​​I write rule snort alert this type :alert any any -> any any (msg:"Test";ack:1;classtype:<wbr>shellcode-detect;sid;1000001;<wbr>rev:1;)<br>
> and<br>
> alert any any -> any any (msg:"test2";flags:S;flow:to_<wbr>server,established;detecion_<wbr>filter:track by_src, count: 5,sencond 5; classtype:shellcode-detect;<wbr>sid:1000002;rev:1;)<br>
><br>
><br>
> But the 2 rules are not alert. People ask me how to write an alert rule with the above type?<br>
</span>> ______________________________<wbr>_________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.snort.org/mailman/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-users</a><br>
><br>
> Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
<br>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.snort.org/mailman/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
</blockquote></div><br></div>