[Snort-users] 2.0 bug in flow:?

Matt Kettler mkettler at ...4108...
Thu Jul 31 12:44:35 EDT 2003


The only thing I would check is to make sure you have stream4 enabled. 
AFAIK without it, flow's don't work.

At 03:24 AM 8/1/2003 +1200, Jason Haar wrote:
>Hi there
>
>I just had a bunch of FPs on the following rule:
>
>alert tcp any any -> any 1080 ( sid: 1000012; rev: 1; msg: "Trimble BugBear
>B Backdoor Attack"; flow: to_server,established; content: "|3b|o|3b|";
>depth:50;
>reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;classtype:
>trojan-activity;)
>
>
>This triggered on a packet from a Win2K server (src port 139) to a client
>(dst port 1080), that contained the "|3b|o|3b|" content,yada yada.
>
>My problem is that I would have read that as "flow:from_server,established"
>- not "to_server"...
>
>Is the space to blame? If so, shouldn't snort sanity check that?
>
>Thanks!
>
>--
>Cheers
>
>Jason Haar
>Information Security Manager, Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list