Snort mailing list archives
Re: No Alers In Windows: Problem with the 'established' flow control element
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 2 Aug 2004 23:18:26 -0400
Which version of Snort are you running? Try adding the "-k none" switch at the command line and see if that changes anything...
-Marty On Jul 30, 2004, at 5:48 PM, Mike wrote:
I have been having problems for the past few days getting snort to workcorrectly in windows, mainly getting it to pick up alerts. After fooling with some alerts myself to try and debug it, it seems that snort has someproblem with the "flow:established" option. For some reason snort isincorrectly tracking established connections and when I make (for example) aweb request to domain.com/cmd.exe it will only pick up the attack if I remove the established keyword.Here is my original mail which contains all the info so I don't forward aton of stuff again: http://marc.theaimsgroup.com/?l=snort-users&m=109114198631743&w=2It seems this was mentioned a long time ago on the mailing list, but withoutresolve:http://marc.theaimsgroup.com/?l=snort- users&w=2&r=1&s=established+flow+working&q=b Along with a lot of info on google:http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF -8&q=flow%3Aestablished+not+workingHowever I can't find if anyone ever resolved this in windows. So any helpwould be great! Mike ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,one more big change to announce. We are now OSTG- Open Source TechnologyGroup. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No Alers In Windows: Problem with the 'established' flow control element Mike (Jul 30)
- Re: No Alers In Windows: Problem with the 'established' flow control element Martin Roesch (Aug 02)