flow:established not working

["Ed Callahan" <snort () edcallahan com>]

My IIS rules aren't triggering when I test with Nitka. I've debugged and
narrowed the problem down to this: my snort rules that contain
"flow:established" are not working. If I run snort with just the rule

alert tcp any any -> any 80 (msg:"test";)

and point my browser to the server I get all sorts of hits on that rule. But
if I use

alert tcp any any -> any 80 (msg:"test"; flow:established;)

I get silence.

I have Snort 2.0.2 on a Win2003 server and WinPcap 3.0. I do have stream4
running, my snort.conf (which I simplified a bunch during debugging) is
below.

I'm out of ideas, does anyone know what the problem might be or how to
troubleshoot this thing further?

Ed Callahan
snort () edcallahan com

preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
include c:/snort/etc/classification.config
include c:/snort/etc/reference.config
include c:/snort/rules/local.rules



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users