Snort mailing list archives

RE: need help understanding the "flow:" keyword

From: Frank Knobbe <frank () knobbe us>
Date: Wed, 05 Jan 2005 15:04:11 -0600

On Wed, 2005-01-05 at 13:46 -0500, Miner, Jonathan W (CSC) (US SSA)
wrote:

I do have the flow preprocessor enabled, same line in snort.conf as
you have in your email.

[...]
I am running 2.3RC2... I upgraded to that yesterday.

It appears that none of the flow sigs fire.


That is very strange. I'm running 2.3.0RC2 (build 9) with flow
preprocessor enabled, and my bleeding (and normal Snort rules) that
contain flow alert just fine.

Last thing to check... do you have a -z in the Snort command line? If
so, take that out and see if that makes difference.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
- Re: need help understanding the "flow:" keyword Frank Knobbe (Jan 05)
- <Possible follow-ups>
- RE: need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
  - RE: need help understanding the "flow:" keyword Frank Knobbe (Jan 05)
- RE: need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
  - RE: need help understanding the "flow:" keyword Frank Knobbe (Jan 05)
  - Re: gamancio () weg com br - Bayesian Filter detected spam - RE: need help understanding the "flow:" keyword Frank Knobbe (Jan 07)
- RE: need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 05)
- RE:need help understanding the "flow:" keyword Miner, Jonathan W (CSC) (US SSA) (Jan 11)