newbie question about pass and alert directive

["." <rlorenzo121 () gmail com>]

Hi folks,
I'm new about Snort and, reading docs... I can't find what I'm looking for
(maybe I've to be more concentrated)

if I want to ignore SYN+ACK, RST+ACK and ACK used for normal established
connection from my server to every host on internet, but I want to generate
an alert for every spurious ACK, RST generate from my server not belonging
to any ESTABLISHED connection.

So for what I understood, my rule will be:
alert tcp $HOME_NET any -> any any (msg:"test rule";
flow:from_server,not_established; classtype:not-suspicious; sid:10000012;
rev:1;)



another question:

writing these rules:

1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*;
classtype:not-suspicious; sid:10000013; rev:1;)
2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";* flags:A*;
content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014;
rev:1;)

the rule at point 2 will be ignored cause rule at point 1 tell snort to
ignore every tcp packet with flag ACK active ?


Thank you in advance for response,

Regards,

Federico

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!