[Snort-sigs] Snorting without "flow:"

Sean Batt sean at ...1796...
Mon Aug 18 20:24:39 EDT 2003


I've spent a while working out why the official snort signatures for the
RPC DCOM worms weren't triggering at my site. I've found that as the
monitoring hardware available to me is only able to provide packets
inbound to my network (limitation of the broadcom chipset in the switch,
apparently) hence the flow engine isn't able to follow the state of TCP
connections, so any rules that include flow information will not trigger.

So I have removed the flow statement from all of my snort rules. What
shoudl I expect the results of this to be? Perhaps higher CPU load due to
inspecting more packets and more false positives due to triggering in TCP
conversations further into the stream than the flow engine would normally
alow. Anything else spring to mind?

Does anyone have any thoughts on running snort with only 1/2 the packet
information (at least its the incomming half!)?

I can't imagine the flow engine could be modified to work in this
environment, does anyone think otherwise?

Sean.Batt at ...1797...
IT Manager, RSSS ANU
tel: +61 2 612 53296

More information about the Snort-sigs mailing list