Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule construction

From: Bill McCarty <bmccarty () apu edu>
Date: Sun, 24 Mar 2002 10:15:29 -0800
I want to create a TCP rule that expects the SYN flag to be off, the ACK flag to be on, and doesn't care about remaining flags, including PSH in particular. I think that such a rule requires the NOT operator (!). But, it's not clear whether that operator is prefix or postfix, etc. And, I don't find an example of its use in the rule set I'm using. So, I'm unsure. 

Q: Is the proper syntax "flags:S!A+; "?

Thanks!

---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: