[Snort-devel] Snort Inline - flow established does not appear to be working
ron.brash at ...2499...
Tue Aug 16 16:26:36 EDT 2011
I'm reposting my original question since I cannot resolve my issue so
far with flow:established not working. I have tried the snort users
group, but no such luck in finding a solution.
So to let everyone in on the background info - I have managed to cross
compile PCRE, DAQ 0.5 and Snort 184.108.40.206 to run on an armeb Openwrt
embedded device. So far I have the decoders working as expected, pcre
(which requires content to match then pcre is ran?), basic rules work
(haven't figured out the dynamic pre-processors yet since I am compiling
statically - help on this would be great too :)) and basic flow options
work such as to_server, to_client.. but flow:established does not work.
We are running on a bridge, but the nfqueue stuff should take care of
that and I can confirm it is working correctly as far as I can tell with
payload matchers like content, pcre and src/dst and port matchers.
I use the following to get Snort started:
./snort -Q --daq nfq --daq-var queue=502 --daq-dir /usr/local/lib/daq/
-c /etc/snort/snort.conf -A console -N -vCd -X
Which is listening on the forward chain using an iptables rule like
iptables -A FORWARD -p tcp --dport 502 -j NFQUEUE --queue-num 502
I am playing around with rules like the below option
alert tcp 192.168.1.14 any -> 192.168.1.12 502
(flow:to_server,established; content:"|03|"; msg:"YUMMY"; sid:1111203;)
Again to reiterate, rules like flow:to_server or flow:to_client appear
to be working just fine, but to get flow to work correctly, what needs
to be done?
More information about the Snort-devel