RE: rules with flow:established not working

[Erek Adams <erek () snort org>]

On Fri, 24 Oct 2003, Schmehl, Paul L wrote:

> > How does snort know the flow is established?
>
> Erek can correct me if I'm wrong, but I'm pretty sure it's the three way
> handshake, and I'm *not* sure that Nikto does that.  I think it may just
> throw exploit strings at the server and look at the responses.  If so,
> that would explain why the flow:established rules aren't triggering
> alerts.

That's exactly it.  For the most part, many of the 'exploit scanners'
don't really do anything except throw packets with an exploit at a server.
Flow:established actually looks to make sure there was a full three way
handshake completed.

I'm going to side with Paul on this...  I'd really guess that either the
software isn't sending the full packet set, or for some reason you're not
getting all the traffic.

> I would think that ethereal would show you what's going on.  Just start
> it up and record the session and then browse through the results.

Using ethereal would be perfect.  The follow session option would be just
what you need to see what's really going on.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users