RE: rules with flow:established not working

[Paul Schmehl <pauls () utdallas edu>]

--On Saturday, October 25, 2003 13:14:40 -0500 Ed Callahan 
<snort () edcallahan com> wrote:
> I'm reaching the limit of my comfort-zone here, but packets 1-3 seem
> to be the 3-way handshake you and Paul referred to, and I see the ACK
> bit set. So it would seem that the problem is not with my NIC/OS or
> with Winpcap (if ethereal is using that to read packets?).

Yes, ethereal uses winpcap.  As to the rest, I'm out of my element.  I 
haven't used snort on Windows, so I can't tell you whether the rules work 
correctly on that platform or not.  It does appear you're getting the three 
way handshake before each of the requests that you posted, so I'm going to 
have to drop out of this conversation and let the Windows pros take over.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users