Flow Established Help

["Ramon L. Fernandez" <buddy () uswebpc com>]

Hello,

 

I had a question about the use of flow:established in the context of snort
rules.

 

How does snort interpret an established session? Does it utilize traffic in
both directions or can still understand an established connection from
unidirectional traffic? 

 

A hypothetical situation would be a http connection negotiation where the
part or all of the server response is dropped by snort. Would snort still be
able to understand that the session was established based off unidirectional
communications or would snort assume the session was not established and
pass the packet with malicious content.

 

If it did pass on the packet, would snort also pass if the flow:to_server
option was instead substituted?

 

> From what I have read in the FAQ about switched environments, not being able
to see RX and TX traffic causes a drawback of being unable to perform
stateful analysis, but then it says a workaround is to monitor RX traffic
only on a gigabit switch. This seems contradictory to me, so I am simply
seeking clarification.

 

If this question seems elementary, I apologize. I am new to utilizing snort,
but I do research, and from plenty of time at google and reading what I
found, I could not find a clear answer. Any help would be much appreciated!

 

Cheers,

 

Ramon Fernandez