Snort mailing list archives

RE: need help understanding the "flow:" keyword

From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>
Date: Wed, 5 Jan 2005 12:35:35 -0500

(I hate how MS-Outlook does replies... see my response below)

-----Original Message-----
From:   Frank Knobbe [mailto:frank () knobbe us]
Sent:   Wed 01/05/2005 12:24 PM
To:     Miner, Jonathan W (CSC) (US SSA)
Cc:     snort-users () lists sourceforge net
Subject:        Re: [Snort-users] need help understanding the "flow:" keyword

On Wed, 2005-01-05 at 10:12 -0500, Miner, Jonathan W (CSC) (US SSA)
wrote:

I run my Snort (2.3.0RC2) sensor on the same box as our SUN iProxy
(3.6/SP6) web proxy server.  The proxy server also uses SmartFilter
(from SecureComputing) to filter web traffic. Both HOME_NET and
EXTERNAL_NET are set to "any". I edited the bleeding-all.rules file,
and took out all the "flow:" commands, and now Snort is detecting
traffic as expected.

I must be missing something, but even after using Google, and reading
several examples of flow usage, I'm puzzled.

It appears you do not have the flow preprocessor enabled. Make sure your
snort.conf contains:
preprocessor flow: stats_interval 0 hash 2

Note that not having this line will cause all rules that contain the
flow statement to be missed.

Also note that this does not only apply to the bleeding rules, but also
all stock Snort rules that use the flow statement (and that's most of
them I think).

So it appears that without flow, you were missing the majority of Snort
rules as well.

Hope this helps,
Frank
(responsible for adding flow to the bleeding rules...)
-----End-Original Message-----

Thanks Frank-

I do have the flow preprocessor enabled, same line in snort.conf as you have in your email.

Another person suggested that I needed to assign actual addresses to the HOME_NET and EXTERNAL_NET variables, instead
of using "any". I tried to set HOME_NET to be the subnet where the PCs are and EXTERNAL_NET to be the IP address of the
proxy server, but that didn't work either.

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
- Re: need help understanding the "flow:" keyword Frank Knobbe (Jan 05)
- <Possible follow-ups>
- RE: need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
  - RE: need help understanding the "flow:" keyword Frank Knobbe (Jan 05)
- RE: need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
  - RE: need help understanding the "flow:" keyword Frank Knobbe (Jan 05)
  - Re: gamancio () weg com br - Bayesian Filter detected spam - RE: need help understanding the "flow:" keyword Frank Knobbe (Jan 07)
- RE: need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
- RE:need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 11)