RE: rules with flow:established not working

[Erek Adams <erek () snort org>]

On Fri, 24 Oct 2003, Ed Callahan wrote:

> Thanks for the idea Erek, but I get the absolute silence from that rule as
> well.
>
> I have removed "established" from all my rules and now am getting all sorts
> of snort reports of attacks on my IIS box (as expected), but with
> established back in there I get no IIS reports.

Out of idle curiosity...  Do you have HOME_NET and EXTERNAL_NET defined?
If not, modify your rule so that it uses HOME_NET and EXTERNAL_NET.  See
if that makes a difference...

The reason I'm asking is that I've got that set on my sensors here...  I'm
getting plenty-o-crap bouncing off of my boxes.  I'm just playing the
averages here... :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users