[Snort-users] Can I do the flow equiv of "Flags:S"?

Matt Kettler mkettler at ...4108...
Tue May 20 11:51:12 EDT 2003


At 11:34 AM 5/20/2003 +1200, Jason Haar wrote:
>Hi there
>
>I'm wanting to capture outgoing TCP connections irrespective of whether or
>not a front-end firewall is blocking that port. I know "Flags:S" does that
>trick - but then tcp reassembly doesn't occur.
>
>Is there a way of using the "flow:" option to do this?
>
>[i.e. flow:established doesn't work in the case a firewall stops the 3-way
>TCP handshake from finishing]

I guess my question is why would you want to use flow for this?

flow is _intended_ for stateful analysis.. By invoking flow: instead of 
flags: you're specifically stating that you're only interested in 
connections which have negotiated themselves to a particular state.

If you want stateless analysis flags _is_ really the option you want to use.

Flow isn't an absolute replacement for flags.. it's just for some 
situations it works better, others it doesn't.. pick the right one for the 
right job and you'll be happy.






More information about the Snort-users mailing list