[Snort-devel] Flowbits Set and Not Checked Against SRC/DSTNetworks

beenph beenph at ...2499...
Tue Jun 28 08:55:24 EDT 2011

On Mon, Jun 27, 2011 at 10:51 PM,  <Joshua.Kinard at ...3108...> wrote:
> It is my understanding that 'flow:stateless' on a TCP rule with 'flowbits' is non-sensical -- it should, in fact, throw a fatal error (but doesn't currently).  Snort would need an established session present before it can apply 'flowbits', and since the SYN packet usually defines the start of a TCP session, you're basically asking the chicken which came first, it or the egg it hatched from.

Hi Joshua,
Mabey others could comment on this but having flow:stateless is just a
way of ensuring thart you are not trigerring on in stream data, thus
perfectly valid in my understanding of the test case.

> There is a formerly-undocumented option to 'flow' that might be worth trying: 'not_established'.  It works well when you play back PCAP files that exclude the TCP handshake, due to how the packets were logged.  But likely, if you are looking for the first SYN packet, 'flags:S,CE;' will probably be the best bet.

I am not sure but i think not_established is superseeded by
functionality of stateless.

But i agree that flages could be something like flags:S,+;
flow:stateless; or flow:not_established;

But it was given only as a mere example for the testcase since i was
not sure about their ultimate needs.


More information about the Snort-devel mailing list