RE: need help understanding the "flow:" keyword

["Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>]

-----Original Message-----
From:   Frank Knobbe [mailto:frank () knobbe us]
Sent:   Wed 01/05/2005 12:55 PM
To:     Miner, Jonathan W (CSC) (US SSA)
Cc:     snort-users () lists sourceforge net
Subject:        RE: [Snort-users] need help understanding the "flow:" keyword
On Wed, 2005-01-05 at 12:35 -0500, Miner, Jonathan W (CSC) (US SSA)
wrote:
> I do have the flow preprocessor enabled, same line in snort.conf as
> you have in your email.

hmmm... what version of Snort are you using? 2.3RC2 is rock-solid, so
you might want to try that and see if that fixes the problem.

> Another person suggested that I needed to assign actual addresses to
> the HOME_NET and EXTERNAL_NET variables, instead of using "any". I
> tried to set HOME_NET to be the subnet where the PCs are and
> EXTERNAL_NET to be the IP address of the proxy server, but that didn't
> work either.

I don't think that matters. You can an address or ANY. Flow will still
keep track of the flows.

Are there particular sigs that are not firing, or do none of them work?

Frank
-----Original Message-----

I am running 2.3RC2... I upgraded to that yesterday.

It appears that none of the flow sigs fire.


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users