Snort mailing list archives

RE: need help understanding the "flow:" keyword


From: Frank Knobbe <frank () knobbe us>
Date: Wed, 05 Jan 2005 11:55:12 -0600

On Wed, 2005-01-05 at 12:35 -0500, Miner, Jonathan W (CSC) (US SSA)
wrote:
I do have the flow preprocessor enabled, same line in snort.conf as
you have in your email.

hmmm... what version of Snort are you using? 2.3RC2 is rock-solid, so
you might want to try that and see if that fixes the problem.

Another person suggested that I needed to assign actual addresses to
the HOME_NET and EXTERNAL_NET variables, instead of using "any". I
tried to set HOME_NET to be the subnet where the PCs are and
EXTERNAL_NET to be the IP address of the proxy server, but that didn't
work either.

I don't think that matters. You can an address or ANY. Flow will still
keep track of the flows.

Are there particular sigs that are not firing, or do none of them work?

Frank

Attachment: signature.asc
Description: This is a digitally signed message part


Current thread: