Snort mailing list archives

Re: No Alers In Windows: Problem with the 'established' flow control element

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 2 Aug 2004 23:18:26 -0400

Which version of Snort are you running? Try adding the "-k none"switch at the command line and see if that changes anything...


     -Marty


On Jul 30, 2004, at 5:48 PM, Mike wrote:

I have been having problems for the past few days getting snort to work
correctly in windows, mainly getting it to pick up alerts. Afterfoolingwith some alerts myself to try and debug it, it seems that snort hassome
problem with the "flow:established" option.  For some reason snort is
incorrectly tracking established connections and when I make (forexample) a
web request to domain.com/cmd.exe it will only pick up the attack if I
remove the established keyword.
Here is my original mail which contains all the info so I don'tforward a
ton of stuff again:
http://marc.theaimsgroup.com/?l=snort-users&m=109114198631743&w=2
It seems this was mentioned a long time ago on the mailing list, butwithout
resolve:
http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=established+flow+worki
ng&q=b

Along with a lot of info on google:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=flow%3Ae
stablished+not+working
However I can't find if anyone ever resolved this in windows. So anyhelp
would be great!

Mike



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open SourceTechnology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

No Alers In Windows: Problem with the 'established' flow control element Mike (Jul 30)
- Re: No Alers In Windows: Problem with the 'established' flow control element Martin Roesch (Aug 02)