Snort mailing list archives
Snort Inline - flow established does not appear to be working
From: Ron Brash <ron.brash () gmail com>
Date: Tue, 16 Aug 2011 13:26:36 -0700
Hi all, I'm reposting my original question since I cannot resolve my issue so far with flow:established not working. I have tried the snort users group, but no such luck in finding a solution. So to let everyone in on the background info - I have managed to cross compile PCRE, DAQ 0.5 and Snort 2.9.0.5 to run on an armeb Openwrt embedded device. So far I have the decoders working as expected, pcre (which requires content to match then pcre is ran?), basic rules work (haven't figured out the dynamic pre-processors yet since I am compiling statically - help on this would be great too :)) and basic flow options work such as to_server, to_client.. but flow:established does not work. We are running on a bridge, but the nfqueue stuff should take care of that and I can confirm it is working correctly as far as I can tell with payload matchers like content, pcre and src/dst and port matchers. I use the following to get Snort started: ./snort -Q --daq nfq --daq-var queue=502 --daq-dir /usr/local/lib/daq/ -c /etc/snort/snort.conf -A console -N -vCd -X Which is listening on the forward chain using an iptables rule like so: iptables -A FORWARD -p tcp --dport 502 -j NFQUEUE --queue-num 502 I am playing around with rules like the below option alert tcp 192.168.1.14 any -> 192.168.1.12 502 (flow:to_server,established; content:"|03|"; msg:"YUMMY"; sid:1111203;) Again to reiterate, rules like flow:to_server or flow:to_client appear to be working just fine, but to get flow to work correctly, what needs to be done? ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Inline - flow established does not appear to be working Ron Brash (Aug 16)