Snort mailing list archives
No Alers In Windows: Problem with the 'established' flow control element
From: "Mike" <Mike () Novanix com>
Date: Fri, 30 Jul 2004 17:48:18 -0400
I have been having problems for the past few days getting snort to work correctly in windows, mainly getting it to pick up alerts. After fooling with some alerts myself to try and debug it, it seems that snort has some problem with the "flow:established" option. For some reason snort is incorrectly tracking established connections and when I make (for example) a web request to domain.com/cmd.exe it will only pick up the attack if I remove the established keyword. Here is my original mail which contains all the info so I don't forward a ton of stuff again: http://marc.theaimsgroup.com/?l=snort-users&m=109114198631743&w=2 It seems this was mentioned a long time ago on the mailing list, but without resolve: http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=established+flow+worki ng&q=b Along with a lot of info on google: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=flow%3Ae stablished+not+working However I can't find if anyone ever resolved this in windows. So any help would be great! Mike ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No Alers In Windows: Problem with the 'established' flow control element Mike (Jul 30)
- Re: No Alers In Windows: Problem with the 'established' flow control element Martin Roesch (Aug 02)