Re: Problems on Flowbits Option

["Al Lewis (allewi)" <allewi () cisco com>]

It will help if you provided an example. 

“My rules don’t work” isnt much to go on :-)


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com 








On 4/11/17, 9:58 PM, "Luo Xin" <kingsleyluoxin () hotmail com> wrote:

> I am trying to build a state machine for TCP or other protocols. But I don’t know why my rules donn’t work. ☹
>
> 发件人: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>>
> 日期: 2017年4月10日 星期一 下午11:55
> 至: Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>>
> 抄送: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
> sourceforge net<mailto:snort-users () lists sourceforge net>>
> 主题: Re: [Snort-users] Problems on Flowbits Option
>
> Many people have done what you are trying to do.  What are you trying to do??
>
>
> --
> Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>
>
>
>
>
>
> On Apr 10, 2017, at 3:55 AM, Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> wrote:
>
> Hello, everyone!
>
>
> I have been confused about the flowbits option. According to the snort manual, it is possible to use this option to 
> implement a simple state machine. I have been trying to do that, but my tries prove to be failure. I have been 
> wondering if I have wrong understanding about this flowbits option.
>
>
> Is there anybody that has ever used flowbits option to implement a protocol state machine? If any, would you please be 
> so kind as to help me solve my puzzles?
>
>
> Any help shall be appreciated .
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!