Snort mailing list archives
flowbits - checking multiple bits being set to create alerting
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 13 Jun 2011 17:51:17 +0000
Experimenting in the lab and wondering about a rule checking two flowbits in order to fire. It appears that checking multiple flowbits within a single rule alerts using OR instead of AND? Just seems weird that all other things in the rule to be true in order for the rule to fire except for multi-flowbit checking? Example: alert any any -> any any (msg:"Both flowbits set"; flowbits:isset,flowbit.numberone; flowbits:isset,flowbit.numbertwo; classification:misc-activity; sid:1; rev:1;) -- Eoin ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- flowbits - checking multiple bits being set to create alerting Eoin Miller (Jun 13)
- Re: flowbits - checking multiple bits being set to create alerting Patrick Mullen (Jun 14)
- Re: flowbits - checking multiple bits being set to create alerting Eoin Miller (Jun 15)
- Re: flowbits - checking multiple bits being set to create alerting Patrick Mullen (Jun 14)