RE: A question about flow:established keyword

["Shadi Rostami" <shadi () inkra com>]

:: I believe when we set the value of flow to "established", Snort only
:: looks for that attack after the connection is established (i.e.3-way tcp
:: handshaking is done).

More specifically, it looks for the ACK and some other flag set (A+).  So, 
if data were being sent in a SYN+ACK packet, Snort would inspect that, too.  
At least, that's what the docs seem to indicate :)

[Shadi Rostami] It is not just looking for A+. I believe it checks if TCP 3way-handshaking is done. 
This feature is added to protect snort against stick and snot tools, I think. Those tool were trying to send tcp 
packets with attack signatures without creating real tcp connection (therefore, they could send lots of them very 
fast). They can cause lots of false positive in the IDS, so the administrator would be overwhelmed and won't be able to 
find the real attack in the log file.

http://www.snort.org/docs/writing_rules/chap2.html#stream%204%20section
[Shadi Rostami] That document mentions that there is a timeout for stream4 preprocessor. However, it does not saying 
anything about my specific problem.




-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users