Problem with flow:established

[Michael Schwartzkopff <misch () multinet de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I tried to solve a hacking challenge and found the following tcp stream 
(please see attached tcpdump log).

I think the hacker exploited a SUN using the dtspcd bug (sid: 1398). I checked 
the capture with snort version 2.0.0 (Build 72), but no alert or warning:
/usr/local/bin/snort -r mylog.log -c /etc/snort.conf

If I change the rule for sid 1398 and delete the "established" from the flow 
statement I get the correct warning. Can please somebody explain me the 
strange behaviour? Thanks.

Sincerely,

- -- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+40 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP-ID: 15F925D9CEF94F2C
Fingerprint: AF27 2674 4631 E230 B431  F68D 15F9 25D9 CEF9 4F2C

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE+xfJWFfkl2c75TywRAp7uAJ9O5LiYgIvNYpfECPR0EFOjFjwOuQCePRlX
64uaBX1rm3Pb8jlTlN3nY10=
=KXDT
-----END PGP SIGNATURE-----

Attachment: mylog.log
Description: