Snort mailing list archives

Previous By Date Next
Previous By Thread Next

need help understanding the "flow:" keyword

From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>
Date: Wed, 5 Jan 2005 10:12:01 -0500
Happy New Year!

With the start of the new year, I decided to fetch the latest copy of the bleedingsnort.com rules.  And to my surprize, 
none of the rules fired, and I'm pretty sure that we didn't clean all the "crap" off the company PCs during the holiday 
shutdown.  After researching this, I see that many of the rules have been updated to include the "flow:" keyword.

I run my Snort (2.3.0RC2) sensor on the same box as our SUN iProxy (3.6/SP6) web proxy server.  The proxy server also 
uses SmartFilter (from SecureComputing) to filter web traffic. Both HOME_NET and EXTERNAL_NET are set to "any". I 
edited the bleeding-all.rules file, and took out all the "flow:" commands, and now Snort is detecting traffic as 
expected.

I must be missing something, but even after using Google, and reading several examples of flow usage, I'm puzzled.

Thanks


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: