Snort mailing list archives
flow: problem -> no alert
From: mael <mael () m-ellinger de>
From: mael () m-ellinger de
Date: Mon, 4 Aug 2003 10:30:58 +0200
Hello, I\'m using Snort 2.0.1 to monitor attacks to webservers. Problem: All rules with an \"flow: \" statement never logs any alerts. Lets say I make a request from somewhere in the internet to my webserver lynx http://abc.def.ghi.jkl/calender.pl the rule (from web-cgi.rules) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"WEB-CGI calender.pl access\"; flow:to_server,established; uricontent:\"/calender.pl\"; nocase; reference:cve,CVE-2000-0432; classtype:attempted-recon; sid:1455; rev:3;) should generate an alert ..but nothing happens. If I delete the \"flow:to_server,established;\" from the rule then all works as expected. My snort.conf includes the preprocessor stream4: detect_scans, disable_evasion_alerts and also preprocessor stream4_reassemble The variables HOME_NET, EXTERNAL_NET, HTTPS_SERVERS, HTTP_PORTS are defined. Any advices on what is going on? Have I to delete the \"flow:\" statement from all rules ? Thanks, Manuel Elander
Current thread:
- flow: problem -> no alert mael (Aug 05)
- Re: flow: problem -> no alert Erek Adams (Aug 06)