[Snort-sigs] Snorting without "flow:"

Chris Green cmg at ...435...
Tue Aug 19 05:59:03 EDT 2003


Sean Batt <sean at ...1796...> writes:

> Hello,
>
> I've spent a while working out why the official snort signatures for the
> RPC DCOM worms weren't triggering at my site. I've found that as the
> monitoring hardware available to me is only able to provide packets
> inbound to my network (limitation of the broadcom chipset in the switch,
> apparently) hence the flow engine isn't able to follow the state of TCP
> connections, so any rules that include flow information will not trigger.

Try adding "asynchronous_link" to your stream4: config line.
-- 
Chris Green <cmg at ...435...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-sigs mailing list