Snort mailing list archives
RE: rules with flow:established not working
From: "Ed Callahan" <snort () edcallahan com>
Date: Fri, 24 Oct 2003 23:02:22 -0500
Paul - The problem isn't that Nitko isn't a good test of the rules. The rules don't trigger a response when they include flow:established, and do trigger a response without the flow:established, when I use my browser to test the rules (i.e. when I'm not using Nitko). So the flow is established, but for some reason snort doesn't know that. When I remove the "established" from the rules in web-iis.rules snort detects all sorts of attacks from IP addresses all over the world. Putting the "established" back results in silence. Ed Callahan snort () edcallahan com On Fri, 24 Oct 2003 Paul Schmehl wrote:
On Fri, 24 Oct 2003 Ed Callahan wrote: How does snort know the flow is established?
Erek can correct me if I'm wrong, but I'm pretty sure it's the three way handshake, and I'm *not* sure that Nikto does that. I think it may just throw exploit strings at the server and look at the responses. If so, that would explain why the flow:established rules aren't triggering alerts.
Can I look at the packets to see if the problem is with the NIC/OS or with WinPCap/Snort?
I would think that ethereal would show you what's going on. Just start it up and record the session and then browse through the results. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- <Possible follow-ups>
- RE: rules with flow:established not working Schmehl, Paul L (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 25)
- RE: rules with flow:established not working Paul Schmehl (Oct 25)