I need to write a rule that captures the SYN-scanning. I tried this: alert

Question

0

Asked: June 12, 20262026-06-12T23:05:59+00:00 2026-06-12T23:05:59+00:00

I need to write a rule that captures the SYN-scanning. I tried this: alert

0

I need to write a rule that captures the SYN-scanning.
I tried this: alert tcp any any -> any any (flags:S,12; msg:"SYN"; sid: 1231213;)
then try to scan: nmap -sS myIP but this does not output “SYN”
How to write a correct rule? Thanks.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-12T23:06:00+00:00

Try to change flags:S,12 to flags:S as the Snort manual states:

The reserved bits ‘1’ and ‘2’ have been replaced with ‘C’ and ‘E’, respectively, to match RFC 3168, “The Addition of Explicit Congestion Notification (ECN) to IP”. The old values of ‘1’ and ‘2’ are still valid for the flag keyword, but are now deprecated.

So 12 will check if the two reserved bits are set which is probably not what you want. Also as I understand the documentation flags:S will match packets with only SYN set which should be correct in your case I guess. If you want to match some flags regardless of other flags you can use *.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I need to write a rule that captures the SYN-scanning. I tried this: alert

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply