[Snort-sigs] revised edonkey sigs using flowbits

Russell Fulton r.fulton at ...575...
Mon Mar 5 20:27:00 EST 2007



Nigel Houghton wrote:
> On  0, Russell Fulton <r.fulton at ...575...> wrote:
>  
>   
>> The rules need their sids unmangled and revs changed if they are to be
>> added to the distribution.  Flowbits works fine with udp flows :)
>>     
>
> This functionality is not enabled in the default snort.conf for 2.6.
> Other changes are required.
>
> If you are using stream4, the udp tracking functionality needs to be
> compiled into snort, see ./configure --help for details. Also, stream5
> is experimental at the moment just so you know.
>
>   

Hmmmm... interesting.  I had not realised that flowbits was tied to the
stream preprocessor (but it is logical of course).  Stream5 was not
enabled on that sensor and it was compiled with default options so I'm
puzzled. 

Could it be that the flowbits on the second sig was just ignored since
stream5 was not in use?  That would explain the result I got

In that case these sigs are not widely useful until stream 5 is on by
default.

Russell.




More information about the Snort-sigs mailing list