[Snort-sigs] Snorting without "flow:"
cmg at ...435...
Tue Aug 19 05:59:03 EDT 2003
Sean Batt <sean at ...1796...> writes:
> I've spent a while working out why the official snort signatures for the
> RPC DCOM worms weren't triggering at my site. I've found that as the
> monitoring hardware available to me is only able to provide packets
> inbound to my network (limitation of the broadcom chipset in the switch,
> apparently) hence the flow engine isn't able to follow the state of TCP
> connections, so any rules that include flow information will not trigger.
Try adding "asynchronous_link" to your stream4: config line.
Chris Green <cmg at ...435...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
More information about the Snort-sigs