FLOW question

[Steven Suppe <steve_suppe () yahoo com>]

Hello,
 
I'm a newbie to this list, but am presently becoming the resident "expert" at Snort here at work, and I look forward to 
participating!
 
My current question is about the keyword flow.  I really don't understand the point - I understand that it's supposed 
to relieve you from defining pack direction at the IP layer, but I'm not understanding something in practice.  For 
instance, if I wanted to capture any time the word "root" was issued over a telnet connection, 
 
Wouldn't
 
alert tcp $EXTERNAL any -> $TELNET_SERVER 23 (msg:"SU attempt!"; content: "root"; nocase; 
flow:to_server,from_client,established;)
 
and the same rule WITHOUT the flow clause do the exact same thing?  Because of the    "->" operator, we can only have 
our traffic going one way anyway!
 
I thought that because it was stateful, that once the connection was established, I could have 
 
alert tcp $EXTERNAL any ->$TELNET_SERVER 23 (msg: "SU attempt!"; content: "root"; nocase; flow:from_server, 
established;)
 
if I wanted to get something JUST from the server, but that doesn't seem to work!
 
If someone could enlighten a poor admin like me, I'd appreciate it!  I'm sure it's something small and obvious that I'm 
missing.  Thanks in advance!
 
Steve Suppe


---------------------------------
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.