The first rule would get flowbits:noalert; flowbits:set,google.user.agent; And the second rule would get flowbits:isset,google.user.agent;
Is that global (if #1, then always #2), or is it "per-IP" ?I verified I can block the SSL session setup using the snort sig I posted the other day .. but it kills any Google SSL (gmail, groups, etc.) .. which is fine, provided I can only block google SSL to users that are running the desktop.
~Mike. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/