Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Inline - flow established does not appear to be working

From: Ron Brash <ron.brash () gmail com>
Date: Tue, 16 Aug 2011 13:26:36 -0700
Hi all,

I'm reposting my original question since I cannot resolve my issue so
far with flow:established not working.  I have tried the snort users
group, but no such luck in finding a solution.

So to let everyone in on the background info - I have managed to cross
compile PCRE, DAQ 0.5 and Snort 2.9.0.5 to run on an armeb Openwrt
embedded device.  So far I have the decoders working as expected, pcre
(which requires content to match then pcre is ran?), basic rules work
(haven't figured out the dynamic pre-processors yet since I am compiling
statically - help on this would be great too :)) and basic flow options
work such as to_server, to_client.. but flow:established does not work.

We are running on a bridge, but the nfqueue stuff should take care of
that and I can confirm it is working correctly as far as I can tell with
payload matchers like content, pcre and src/dst and port matchers.

I use the following to get Snort started:

./snort -Q --daq nfq --daq-var queue=502 --daq-dir /usr/local/lib/daq/
-c /etc/snort/snort.conf -A console -N -vCd -X

Which is listening on the forward chain using an iptables rule like
so:

iptables -A FORWARD -p tcp --dport 502 -j NFQUEUE --queue-num 502

I am playing around with rules like the below option

alert tcp 192.168.1.14 any -> 192.168.1.12 502
(flow:to_server,established; content:"|03|"; msg:"YUMMY"; sid:1111203;)

Again to reiterate, rules like flow:to_server or flow:to_client appear
to be working just fine, but to get flow to work correctly, what needs
to be done?

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: