Snort mailing list archives

Re: Looking for info on Flowbits

From: Nigel Houghton <nigel () sourcefire com>
Date: Wed, 5 Apr 2006 23:46:38 -0500

Date: Wed, 5 Apr 2006 10:01:55 -0400
From: dajackman <robby.lists () gmail com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Looking for info on Flowbits

I am interested in reading more about the flowbits option.  I have
poked around a little on the net and haven't satisfied my curiosity.=20
Does any one know a good writup/doc on the flowbit and or the flow
preprocessor.  What started my search was trying to understand how the
below rule works.  Thanks for any help

alert tcp any any <> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH
session in progress on Unusual Port"; flowbits: isset,is_proto_ssh;
threshold: type both, track by_src, count 2, seconds 300;
classtype:misc-activity; sid: 2001984; rev:4; )


Take a look in the doc directory that comes with the snort source, in
there you will find a doc called README.flowbits. It is very clear and
concise about using flowbits.

At the end of that document are some very simple and easy to understand
rules that also  illustrate the use of flowbits.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Looking for info on Flowbits dajackman (Apr 05)
- Re: Looking for info on Flowbits Jeff Kell (Apr 05)
- Re: Looking for info on Flowbits Matt Jonkman (Apr 05)
- <Possible follow-ups>
- Re: Looking for info on Flowbits Nigel Houghton (Apr 05)