Snort mailing list archives

RE: fragbits option

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Wed, 27 Mar 2002 15:28:15 -0500

I'm testing using the fragbits option and have read the doc on writing
rules. I'm trying to figure out my options when using the fragbits option.
When is a "+" sign used and when is it not? For example, what's the
difference between:

fragbits: D

and

fragbits: D+


The "+" tells snort to look for the specified fragment or reserve bit plus
any other.  

examples:

fragbits: D -> ONLY the "Don't Fragment" flag
fragbits: D+ -> "Don't Fragment" flag PLUS any other i.e. RB - "Reserved
Bit"

Hope this helps,

- Jeff

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

fragbits option Sheahan, Paul (PCLN-NW) (Mar 27)
- Re: fragbits option Erek Adams (Mar 27)
- <Possible follow-ups>
- RE: fragbits option Wirth, Jeff (Mar 27)