[Snort-users] FLOW question

Steven Suppe steve_suppe at ...131...
Wed Feb 25 16:12:11 EST 2004

I'm a newbie to this list, but am presently becoming the resident "expert" at Snort here at work, and I look forward to participating!
My current question is about the keyword flow.  I really don't understand the point - I understand that it's supposed to relieve you from defining pack direction at the IP layer, but I'm not understanding something in practice.  For instance, if I wanted to capture any time the word "root" was issued over a telnet connection, 
alert tcp $EXTERNAL any -> $TELNET_SERVER 23 (msg:"SU attempt!"; content: "root"; nocase; flow:to_server,from_client,established;)
and the same rule WITHOUT the flow clause do the exact same thing?  Because of the    "->" operator, we can only have our traffic going one way anyway!
I thought that because it was stateful, that once the connection was established, I could have 
alert tcp $EXTERNAL any ->$TELNET_SERVER 23 (msg: "SU attempt!"; content: "root"; nocase; flow:from_server, established;)
if I wanted to get something JUST from the server, but that doesn't seem to work!
If someone could enlighten a poor admin like me, I'd appreciate it!  I'm sure it's something small and obvious that I'm missing.  Thanks in advance!
Steve Suppe

Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040225/d3e751f4/attachment.html>

More information about the Snort-users mailing list