Re: need help understanding the "flow:" keyword

[Frank Knobbe <frank () knobbe us>]

On Wed, 2005-01-05 at 10:12 -0500, Miner, Jonathan W (CSC) (US SSA)
wrote:
> I run my Snort (2.3.0RC2) sensor on the same box as our SUN iProxy
> (3.6/SP6) web proxy server.  The proxy server also uses SmartFilter
> (from SecureComputing) to filter web traffic. Both HOME_NET and
> EXTERNAL_NET are set to "any". I edited the bleeding-all.rules file,
> and took out all the "flow:" commands, and now Snort is detecting
> traffic as expected.
>
> I must be missing something, but even after using Google, and reading
> several examples of flow usage, I'm puzzled.

It appears you do not have the flow preprocessor enabled. Make sure your
snort.conf contains:
 preprocessor flow: stats_interval 0 hash 2

Note that not having this line will cause all rules that contain the
flow statement to be missed.

Also note that this does not only apply to the bleeding rules, but also
all stock Snort rules that use the flow statement (and that's most of
them I think).

So it appears that without flow, you were missing the majority of Snort
rules as well.

Hope this helps,
Frank
(responsible for adding flow to the bleeding rules...)

Attachment: signature.asc
Description: This is a digitally signed message part