[Snort-sigs] Problem with flow directive.

Martin Buczynski buz at ...1288...
Fri May 28 02:39:10 EDT 2004


Hi,

Ive got a problem with a rule.

Ive got a plain rule that checks for incomming connections to a specific 
port. But I get alarms on answering http requests. The last time I 
checked flow:to_server works on the first SYN packet but I get alarms on 
the ACK in the wrong direction.

The rule:
any any -> any 18961 (msg:" bla bla"; flow:to_server,established; 
classtype:attempted-admin; sid:XXX; rev:1;)

And I get alarms on the ACK packet from a port 80 to my port. The 
problem is that the computer generating the port 80 ACK packet isnt the 
connecting computer. My computer with the hih 18961 port is the 
connecting one.

Is this a common bug (if so Im sorry I bugged you) or has anyone had 
similiar problems?

/Martin Buczynski
-- 
____________________________________________________________________________

Martin Buczynski

Sentor MSS AB

Phone: +46 - (0)18 65 30 00

Fax: +46 - (0)18 65 30 10

Mail: buz at ...1288...

Web: www.sentor.se

Visit: Orphei Drängars plats 1, 753 11 Uppsala, Sweden

____________________________________________________________________________




More information about the Snort-sigs mailing list