Snort mailing list archives
RE: rules with flow:established not working
From: Erek Adams <erek () snort org>
Date: Sat, 25 Oct 2003 00:16:17 -0400 (EDT)
On Fri, 24 Oct 2003, Schmehl, Paul L wrote:
How does snort know the flow is established?Erek can correct me if I'm wrong, but I'm pretty sure it's the three way handshake, and I'm *not* sure that Nikto does that. I think it may just throw exploit strings at the server and look at the responses. If so, that would explain why the flow:established rules aren't triggering alerts.
That's exactly it. For the most part, many of the 'exploit scanners' don't really do anything except throw packets with an exploit at a server. Flow:established actually looks to make sure there was a full three way handshake completed. I'm going to side with Paul on this... I'd really guess that either the software isn't sending the full packet set, or for some reason you're not getting all the traffic.
I would think that ethereal would show you what's going on. Just start it up and record the session and then browse through the results.
Using ethereal would be perfect. The follow session option would be just what you need to see what's really going on. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- <Possible follow-ups>
- RE: rules with flow:established not working Schmehl, Paul L (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 25)
- RE: rules with flow:established not working Paul Schmehl (Oct 25)