Re: Looking for info on Flowbits

[Jeff Kell <jeff-kell () utc edu>]

dajackman wrote:
> I am interested in reading more about the flowbits option.  I have
> poked around a little on the net and haven't satisfied my curiosity. 
> Does any one know a good writup/doc on the flowbit and or the flow
> preprocessor.  What started my search was trying to understand how the
> below rule works.  

I'm guessing on the nature of your question, but one thing that confused me about flowbits to begin with is that the 
flowbit names you see pop up in rules are themselves defined by the rules, they aren't some magical reserved words that 
the flow preprocessor knows about.  

You can "set" a flowbit as the action part of any rule, and pick any name you want.

If you otherwise reference a flowbit in any other rule, it should be defined previously (somewhere), else it will never 
match (or more correctly, never be "isset").

If you see a flowbit reference you aren't sure about, grep the rules to find out which rules define it.

Jeff



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users