Re: WRITE RULE ERROR

[DFIRob via Snort-users <snort-users () lists snort org>]

that and, discounting other typos, flags:S;flow:to_server,established is
very unlikely to trigger.

--r

On Mon, Oct 23, 2017 at 7:49 PM, Jason Hellenthal <jhellenthal () dataix net>
wrote:

> What is “sencond” ? I suspect this is your problem.
>
>
> > On Oct 23, 2017, at 09:43, nguyen cao via Snort-users <
> snort-users () lists snort org> wrote:
> > <Untitled.png>
> > ​​I write rule snort alert this type :alert any any -> any any
> (msg:"Test";ack:1;classtype:shellcode-detect;sid;1000001;rev:1;)
> > and
> > alert any any -> any any (msg:"test2";flags:S;flow:to_
> server,established;detecion_filter:track by_src, count: 5,sencond 5;
> classtype:shellcode-detect;sid:1000002;rev:1;)
> > But the 2 rules are not alert. People ask me how to write an alert rule
> with the above type?
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!