Re: flow: problem -> no alert

[Erek Adams <erek () snort org>]

On Mon, 4 Aug 2003, mael wrote:

[...snip...]

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"WEB-CGI
> calender.pl access\"; flow:to_server,established;
> uricontent:\"/calender.pl\"; nocase; reference:cve,CVE-2000-0432;
> classtype:attempted-recon; sid:1455;  rev:3;)
>
> should generate an alert ..but nothing happens.
>
> If I delete the \"flow:to_server,established;\" from
> the rule then all works as expected.

[...snip...]

I think the key here is "works as expected."  The 'flow:' keyword works on
the state that stream4 has.  If the state isn't established and headed to
the server, then the alert won't fire.

If you _really_ think something is broken, get a pcap (snaplen at 1514 or
65535) of the session.  With that, it's a lot easier to tell if there is a
problem in the code or simply a misconfiguration.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users