P. 1
Snort Manual-2 8 5 1

Snort Manual-2 8 5 1

|Views: 162|Likes:
Published by rir1986

More info:

Published by: rir1986 on Aug 11, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/25/2012

pdf

text

original

Theflowbits keywordisusedinconjunctionwithconversationtrackingfromtheStreampreprocessor(seeSection2.2.2).
It allows rules to track states across transport protocol sessions. The flowbits option is most useful for TCP sessions,
as it allows rules to generically track the state of an application protocol.

There are seven keywords associated with flowbits. Most of the options need a user-defined name for the specific
state that is being checked. This string should be limited to any alphanumeric string including periods, dashes, and
underscores.

Option Description

set

Sets the specified state for the current flow.

unset

Unsets the specified state for the current flow.

toggle Sets the specified state if the state is unset, otherwise unsets the state if the state is
set.

isset

Checks if the specified state is set.

isnotset Checks if the specified state is not set.

noalert Cause the rule to not generate an alert, regardless of the rest of the detection
options.

Format

flowbits: [set|unset|toggle|isset|reset|noalert][,];

Examples

alert tcp any 143 -> any any (msg:"IMAP login";

140

content:"OK LOGIN"; flowbits:set,logged_in;

flowbits:noalert;)

alert tcp any any -> any 143 (msg:"IMAP LIST"; content:"LIST";

flowbits:isset,logged_in;)

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->