[Snort-sigs] question about flow syntax

David Wilburn bug at ...270...
Sat Jun 22 07:41:02 EDT 2002


With the "flow" rule option, if I had the following rule, would it catch
actions going to the web client or the web server?  In other words, is
flow direction determined by the order the networks are specified in the
rule, or by the order in which the TCP handshake occurs?

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg: "bad stuff detected"; \
flow:to_server; uricontenet: "hax0rj00()";)

I'm a little confused about the difference between SID 1284 and 1290,
which are very similar rules.  Are they both correct in their flow direction?
Which of these rules is for traffic to the web server, and which is for
traffic to the web client?

-Dave Wilburn




More information about the Snort-sigs mailing list