[Snort-users] flow: problem -> no alert

Erek Adams erek at ...950...
Wed Aug 6 07:44:09 EDT 2003


On Mon, 4 Aug 2003, mael wrote:

[...snip...]

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"WEB-CGI
> calender.pl access\"; flow:to_server,established;
> uricontent:\"/calender.pl\"; nocase; reference:cve,CVE-2000-0432;
> classtype:attempted-recon; sid:1455;  rev:3;)
>
> should generate an alert ..but nothing happens.
>
> If I delete the \"flow:to_server,established;\" from
> the rule then all works as expected.

[...snip...]

I think the key here is "works as expected."  The 'flow:' keyword works on
the state that stream4 has.  If the state isn't established and headed to
the server, then the alert won't fire.

If you _really_ think something is broken, get a pcap (snaplen at 1514 or
65535) of the session.  With that, it's a lot easier to tell if there is a
problem in the code or simply a misconfiguration.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list