Snort mailing list archives
Re: flow: problem -> no alert
From: Erek Adams <erek () snort org>
Date: Wed, 6 Aug 2003 10:43:34 -0400 (EDT)
On Mon, 4 Aug 2003, mael wrote: [...snip...]
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"WEB-CGI calender.pl access\"; flow:to_server,established; uricontent:\"/calender.pl\"; nocase; reference:cve,CVE-2000-0432; classtype:attempted-recon; sid:1455; rev:3;) should generate an alert ..but nothing happens. If I delete the \"flow:to_server,established;\" from the rule then all works as expected.
[...snip...] I think the key here is "works as expected." The 'flow:' keyword works on the state that stream4 has. If the state isn't established and headed to the server, then the alert won't fire. If you _really_ think something is broken, get a pcap (snaplen at 1514 or 65535) of the session. With that, it's a lot easier to tell if there is a problem in the code or simply a misconfiguration. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flow: problem -> no alert mael (Aug 05)
- Re: flow: problem -> no alert Erek Adams (Aug 06)