[Snort-sigs] Problem with flow directive.
buz at ...1288...
Fri May 28 02:39:10 EDT 2004
Ive got a problem with a rule.
Ive got a plain rule that checks for incomming connections to a specific
port. But I get alarms on answering http requests. The last time I
checked flow:to_server works on the first SYN packet but I get alarms on
the ACK in the wrong direction.
any any -> any 18961 (msg:" bla bla"; flow:to_server,established;
classtype:attempted-admin; sid:XXX; rev:1;)
And I get alarms on the ACK packet from a port 80 to my port. The
problem is that the computer generating the port 80 ACK packet isnt the
connecting computer. My computer with the hih 18961 port is the
Is this a common bug (if so Im sorry I bugged you) or has anyone had
Sentor MSS AB
Phone: +46 - (0)18 65 30 00
Fax: +46 - (0)18 65 30 10
Mail: buz at ...1288...
Visit: Orphei Drängars plats 1, 753 11 Uppsala, Sweden
More information about the Snort-sigs