RE:need help understanding the "flow:" keyword

["Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>]

Thanks Frank-

I checked those two options, and set them to what you suggested.  No change, the flow rules still do not seem to work.

Anyone else using 2.3RC2 on Solaris 8?

Any thoughts on whether the SUN iPlanet proxy server is disrupting the "flow" of packets?


-----Original Message-----
From:   snort-users-admin () lists sourceforge net on behalf of Frank Knobbe
Sent:   Fri 01/07/2005 03:31 PM
To:     Miner, Jonathan W (CSC) (US SSA)
Cc:     snort-users () lists sourceforge net
Subject:        Re: gamancio () weg com br - Bayesian Filter detected spam - RE:[Snort-users] need help understanding 
the "flow:" keyword

On Wed, 2005-01-05 at 13:46 -0500, Miner, Jonathan W (CSC) (US SSA)
wrote:
> I am running 2.3RC2... I upgraded to that yesterday.
>
> It appears that none of the flow sigs fire.

Another thing to check is the stream4 and stream4_reassembly
preprocessors. Make sure they are enabled. I highly recommend to use
"ports all" on the reassembler.

My options:
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble: both, noalerts, ports all

See if that makes a difference.

Regards,
Frank



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users