A question about flow:established keyword

["Shadi Rostami" <shadi () inkra com>]

Hello,
I believe when we set the value of flow to "established", Snort only looks for that attack after the connection is 
established (i.e.3-way tcp handshaking is done).

Also, I assume that there should be a time-out for TCP sessions (i.e. after the session is idle for a period of time, 
it would be considered as dead and the memory assigned to it including the session data and status will be 
de-allocated).

What happens when 
        1. A tcp connection is established; 3-way handshaking is done, but it remains idle for a long time. 
        2. During that time, the session times out and the session data would be de-allocated. 
        3. client sends packets belonging to that session.  The server might still have that session data, so it 
accepts it as the old session, and communicate with client fine.
        4. Snort sees this new packet as a new session (although it is an old session), and won't see any 3-way 
handshaking and will not look for the attacks.

Are we going to loose some attacks in the above situation?

Thanks
--Shadi


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users