[Snort-users] flow: problem -> no alert
erek at ...950...
Wed Aug 6 07:44:09 EDT 2003
On Mon, 4 Aug 2003, mael wrote:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"WEB-CGI
> calender.pl access\"; flow:to_server,established;
> uricontent:\"/calender.pl\"; nocase; reference:cve,CVE-2000-0432;
> classtype:attempted-recon; sid:1455; rev:3;)
> should generate an alert ..but nothing happens.
> If I delete the \"flow:to_server,established;\" from
> the rule then all works as expected.
I think the key here is "works as expected." The 'flow:' keyword works on
the state that stream4 has. If the state isn't established and headed to
the server, then the alert won't fire.
If you _really_ think something is broken, get a pcap (snaplen at 1514 or
65535) of the session. With that, it's a lot easier to tell if there is a
problem in the code or simply a misconfiguration.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users