I believe it is per TCP session, but don't quote me on that. Actually now that i think about it, if it indeed is per TCP session then the second rule will not trigger, since the SSL connection will be a part of a different session.
I am not 100% sure though. Try it out and let us know. You might want to post to snort-sigs or snort-users and see if they are more helpful. On 2/14/06, Michael Holstein <[EMAIL PROTECTED]> wrote: > > The first rule would get flowbits:noalert; flowbits:set,google.user.agent; > > And the second rule would get flowbits:isset,google.user.agent; > > Is that global (if #1, then always #2), or is it "per-IP" ? > > I verified I can block the SSL session setup using the snort sig I > posted the other day .. but it kills any Google SSL (gmail, groups, > etc.) .. which is fine, provided I can only block google SSL to users > that are running the desktop. > > ~Mike. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/