Snort mailing list archives
RE: rules with flow:established not working
From: "Ed Callahan" <snort () edcallahan com>
Date: Fri, 24 Oct 2003 14:19:40 -0500
Thanks for the idea Erek, but I get the absolute silence from that rule as well. I have removed "established" from all my rules and now am getting all sorts of snort reports of attacks on my IIS box (as expected), but with established back in there I get no IIS reports. Ed Callahan snort () edcallahan com On Fri, 10/24/2003 Erek wrote:
Try: alert tcp any any -> any 80 (msg:"test"; flow:established,to_server;) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson On Fri, 24 Oct 2003, Ed Callahan wrote:My IIS rules aren't triggering when I test with Nitka. I've debugged and narrowed the problem down to this: all my snort rules that contain "flow:established" are not working. If I run snort with just the rule alert tcp any any -> any 80 (msg:"test";) and point my browser to the server I get all sorts of hits on that rule.
But
if I use alert tcp any any -> any 80 (msg:"test"; flow:established;) I get silence. I have Snort 2.0.2 on a Win2003 server and WinPcap 3.0. I do have stream4 running, my snort.conf (which I simplified a bunch during debugging) is below. I'm out of ideas, does anyone know what the problem might be or how to troubleshoot this thing further? Ed Callahan snort () edcallahan com preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble include c:/snort/etc/classification.config include c:/snort/etc/reference.config include c:/snort/rules/local.rules
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- <Possible follow-ups>
- RE: rules with flow:established not working Schmehl, Paul L (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 25)
- RE: rules with flow:established not working Paul Schmehl (Oct 25)