Re: Can I do the flow equiv of "Flags:S"?

[Matt Kettler <mkettler () evi-inc com>]

At 11:34 AM 5/20/2003 +1200, Jason Haar wrote:
> Hi there
>
> I'm wanting to capture outgoing TCP connections irrespective of whether or
> not a front-end firewall is blocking that port. I know "Flags:S" does that
> trick - but then tcp reassembly doesn't occur.
>
> Is there a way of using the "flow:" option to do this?
>
> [i.e. flow:established doesn't work in the case a firewall stops the 3-way
> TCP handshake from finishing]

I guess my question is why would you want to use flow for this?

flow is _intended_ for stateful analysis.. By invoking flow: instead of 
flags: you're specifically stating that you're only interested in 
connections which have negotiated themselves to a particular state.

If you want stateless analysis flags _is_ really the option you want to use.

Flow isn't an absolute replacement for flags.. it's just for some 
situations it works better, others it doesn't.. pick the right one for the 
right job and you'll be happy.




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users