Snort mailing list archives
Flow Established Help
From: "Ramon L. Fernandez" <buddy () uswebpc com>
Date: Mon, 9 Jan 2006 02:20:41 -0500
Hello, I had a question about the use of flow:established in the context of snort rules. How does snort interpret an established session? Does it utilize traffic in both directions or can still understand an established connection from unidirectional traffic? A hypothetical situation would be a http connection negotiation where the part or all of the server response is dropped by snort. Would snort still be able to understand that the session was established based off unidirectional communications or would snort assume the session was not established and pass the packet with malicious content. If it did pass on the packet, would snort also pass if the flow:to_server option was instead substituted?
From what I have read in the FAQ about switched environments, not being able
to see RX and TX traffic causes a drawback of being unable to perform stateful analysis, but then it says a workaround is to monitor RX traffic only on a gigabit switch. This seems contradictory to me, so I am simply seeking clarification. If this question seems elementary, I apologize. I am new to utilizing snort, but I do research, and from plenty of time at google and reading what I found, I could not find a clear answer. Any help would be much appreciated! Cheers, Ramon Fernandez
Current thread:
- Flow Established Help Ramon L. Fernandez (Jan 08)
- <Possible follow-ups>
- RE: Flow Established Help Ramon L. Fernandez (Jan 12)
- Re: Flow Established Help Jason Brvenik (Jan 13)