flow: problem -> no alert

[mael <mael () m-ellinger de>]

Hello,

I\'m using Snort 2.0.1 to monitor attacks to
webservers. 

Problem:
All rules with an \"flow: \" statement never logs 
any alerts. Lets say I make a request from
somewhere in the internet to my webserver

lynx http://abc.def.ghi.jkl/calender.pl

the rule (from web-cgi.rules)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"WEB-CGI calender.pl access\"; 
flow:to_server,established; uricontent:\"/calender.pl\"; nocase; reference:cve,CVE-2000-0432; 
classtype:attempted-recon; sid:1455;  rev:3;)

should generate an alert ..but nothing happens.

If I delete the \"flow:to_server,established;\" from 
the rule then all works as expected.

My snort.conf includes the
preprocessor stream4: detect_scans, disable_evasion_alerts
and also
preprocessor stream4_reassemble

The variables HOME_NET, EXTERNAL_NET, HTTPS_SERVERS, 
HTTP_PORTS are defined.

Any advices on what is going on? Have I to delete 
the \"flow:\" statement from all rules ? 

Thanks,
Manuel Elander