[Snort-users] Can I do the flow equiv of "Flags:S"?
mkettler at ...4108...
Tue May 20 11:51:12 EDT 2003
At 11:34 AM 5/20/2003 +1200, Jason Haar wrote:
>I'm wanting to capture outgoing TCP connections irrespective of whether or
>not a front-end firewall is blocking that port. I know "Flags:S" does that
>trick - but then tcp reassembly doesn't occur.
>Is there a way of using the "flow:" option to do this?
>[i.e. flow:established doesn't work in the case a firewall stops the 3-way
>TCP handshake from finishing]
I guess my question is why would you want to use flow for this?
flow is _intended_ for stateful analysis.. By invoking flow: instead of
flags: you're specifically stating that you're only interested in
connections which have negotiated themselves to a particular state.
If you want stateless analysis flags _is_ really the option you want to use.
Flow isn't an absolute replacement for flags.. it's just for some
situations it works better, others it doesn't.. pick the right one for the
right job and you'll be happy.
More information about the Snort-users