Re: rules with flow:established not working

[Erek Adams <erek () snort org>]

On Fri, 24 Oct 2003, Ed Callahan wrote:

> My IIS rules aren't triggering when I test with Nitka. I've debugged and
> narrowed the problem down to this: all my snort rules that contain
> "flow:established" are not working. If I run snort with just the rule
>
> alert tcp any any -> any 80 (msg:"test";)
>
> and point my browser to the server I get all sorts of hits on that rule. But
> if I use
>
> alert tcp any any -> any 80 (msg:"test"; flow:established;)
>
> I get silence.
>
> I have Snort 2.0.2 on a Win2003 server and WinPcap 3.0. I do have stream4
> running, my snort.conf (which I simplified a bunch during debugging) is
> below.
>
> I'm out of ideas, does anyone know what the problem might be or how to
> troubleshoot this thing further?
>
> Ed Callahan
> snort () edcallahan com
>
> preprocessor frag2
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble
> include c:/snort/etc/classification.config
> include c:/snort/etc/reference.config
> include c:/snort/rules/local.rules

Try:

        alert tcp any any -> any 80 (msg:"test";
              flow:established,to_server;)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users