[Snort-devel] Snort Inline - flow established does not appear to be working

Ron Brash ron.brash at ...2499...
Tue Aug 16 16:26:36 EDT 2011


Hi all,

I'm reposting my original question since I cannot resolve my issue so
far with flow:established not working.  I have tried the snort users
group, but no such luck in finding a solution.

So to let everyone in on the background info - I have managed to cross
compile PCRE, DAQ 0.5 and Snort 2.9.0.5 to run on an armeb Openwrt
embedded device.  So far I have the decoders working as expected, pcre
(which requires content to match then pcre is ran?), basic rules work
(haven't figured out the dynamic pre-processors yet since I am compiling
statically - help on this would be great too :)) and basic flow options
work such as to_server, to_client.. but flow:established does not work.

We are running on a bridge, but the nfqueue stuff should take care of
that and I can confirm it is working correctly as far as I can tell with
payload matchers like content, pcre and src/dst and port matchers.

I use the following to get Snort started:

./snort -Q --daq nfq --daq-var queue=502 --daq-dir /usr/local/lib/daq/
-c /etc/snort/snort.conf -A console -N -vCd -X

Which is listening on the forward chain using an iptables rule like
so:

iptables -A FORWARD -p tcp --dport 502 -j NFQUEUE --queue-num 502

I am playing around with rules like the below option

alert tcp 192.168.1.14 any -> 192.168.1.12 502
(flow:to_server,established; content:"|03|"; msg:"YUMMY"; sid:1111203;)

Again to reiterate, rules like flow:to_server or flow:to_client appear
to be working just fine, but to get flow to work correctly, what needs
to be done?




More information about the Snort-devel mailing list