RE: rules with flow:established not working

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Ed Callahan [mailto:snort () edcallahan com] 
> Sent: Friday, October 24, 2003 3:23 PM
> To: Erek Adams
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] rules with flow:established not working
>
> How does snort know the flow is established?

Erek can correct me if I'm wrong, but I'm pretty sure it's the three way
handshake, and I'm *not* sure that Nikto does that.  I think it may just
throw exploit strings at the server and look at the responses.  If so,
that would explain why the flow:established rules aren't triggering
alerts.

> Can I look at 
> the packets to see if the problem is with the NIC/OS or with 
> WinPCap/Snort?
I would think that ethereal would show you what's going on.  Just start
it up and record the session and then browse through the results.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users