[Snort-users] A "Flowbits" issue

Hi,
My question is:should we use "flowbits" to check a packet against
multiple rules or we only use "flowbits" to check next coming packets?
If we consider this rule:
R0: alert tcp 192.168.0.1 any -> any any (content:"logged
in";flowbits:set,logged_in",content:"username:tung ",flowbits:set,tung_loginned)
which marks the flow as: the specific user "tung" has logged in.
Can we split this rule into these 2 rules:
R1: alert tcp 192.168.0.1 any -> any any (content:"logged
in";flowbits:set,logged_in;flowbits:noalert)
R2: alert tcp 192.168.0.1 any -> any any
(content:"username:tung";flowbits:isset,logged_in" ,flowbits:set,tung_loggined)
Do we normally write rules this way when we use "flowbits"? Is there
any situation where we should split a rule when "flowbits" is used?
The problem I see when using "flowbits" to check a packet against
multiple rules is the rule triggering order might cause problem. In
the example above, if R1 is triggered before R2, these 2 rules do the
same thing as rule R0, however, if R2 is triggered before R1, these 2
rules do'nt function as we expect.
Any idea about this "flowbits" issuse?
Thank you very much,
Tung

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users