Snort mailing list archives
Re: porno rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 21:56:56 -0400
At 05:10 PM 4/29/2003 -0700, Bryan Irvine wrote:
I've figured it out. I changed this "flow:to_client,established;" to this "flags:A+;" I'm very new to snort. I installed it for the first time right before 2.0-release came out. What do these 2 options do?
flow:to_client,established:The packet must be flowing to the client half of the TCP 3 way handshake (ie: the one that started the connection in the first place) and must be in an established state (ie: not part of the 3 way handshake or the teardown sequence).
Note that flows seem to require that stream4 be enabled to work correctly. flags:A+:The packet must have the TCP ack bit set. Other bits may be set as well and are treated as "don't care". This has a somewhat similar effect to the "established" part of the flow, but it's stateless so it will also match a "stray ack packet" that isn't associated with an existing connection.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- porno rules Bryan Irvine (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- Re: porno rules Bryan Irvine (Apr 29)
- Broken config directive? or just me? Sam Evans (Apr 29)
- Re: Broken config directive? or just me? Matt Kettler (Apr 29)
- Re: Broken config directive? or just me? Chris Green (Apr 30)
- Re: porno rules Bryan Irvine (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- <Possible follow-ups>
- Re: porno rules Neil Dickey (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)