[Snort-users] flow: problem -> no alert

Erek Adams erek at ...950...
Wed Aug 6 07:44:09 EDT 2003

On Mon, 4 Aug 2003, mael wrote:


> calender.pl access\"; flow:to_server,established;
> uricontent:\"/calender.pl\"; nocase; reference:cve,CVE-2000-0432;
> classtype:attempted-recon; sid:1455;  rev:3;)
> should generate an alert ..but nothing happens.
> If I delete the \"flow:to_server,established;\" from
> the rule then all works as expected.


I think the key here is "works as expected."  The 'flow:' keyword works on
the state that stream4 has.  If the state isn't established and headed to
the server, then the alert won't fire.

If you _really_ think something is broken, get a pcap (snaplen at 1514 or
65535) of the session.  With that, it's a lot easier to tell if there is a
problem in the code or simply a misconfiguration.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list