[Snort-sigs] question about flow syntax

Martin Roesch roesch at ...435...
Mon Jun 24 21:49:02 EDT 2002

Flow is setup based on the three way handshake, the system that send the SYN
is the client and the receiver is the server.  It has little or nothing to
do with the way that the rule header is structured (although if the
constraints of the rule header aren't satisfied, the client-server
relationship will never get checked).  It's possible to write rules that
will rarely, if ever, fire if you get your rule header/flow relationship

Sid 1284 and 1290 look good to me...


On 6/22/02 10:40 AM, "David Wilburn" <bug at ...270...> wrote:

> With the "flow" rule option, if I had the following rule, would it catch
> actions going to the web client or the web server?  In other words, is
> flow direction determined by the order the networks are specified in the
> rule, or by the order in which the TCP handshake occurs?
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg: "bad stuff detected"; \
> flow:to_server; uricontenet: "hax0rj00()";)
> I'm a little confused about the difference between SID 1284 and 1290,
> which are very similar rules.  Are they both correct in their flow direction?
> Which of these rules is for traffic to the web server, and which is for
> traffic to the web client?
> -Dave Wilburn
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...435... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-sigs mailing list