[Snort-users] FLOW question
steve_suppe at ...131...
Wed Feb 25 16:12:11 EST 2004
I'm a newbie to this list, but am presently becoming the resident "expert" at Snort here at work, and I look forward to participating!
My current question is about the keyword flow. I really don't understand the point - I understand that it's supposed to relieve you from defining pack direction at the IP layer, but I'm not understanding something in practice. For instance, if I wanted to capture any time the word "root" was issued over a telnet connection,
alert tcp $EXTERNAL any -> $TELNET_SERVER 23 (msg:"SU attempt!"; content: "root"; nocase; flow:to_server,from_client,established;)
and the same rule WITHOUT the flow clause do the exact same thing? Because of the "->" operator, we can only have our traffic going one way anyway!
I thought that because it was stateful, that once the connection was established, I could have
alert tcp $EXTERNAL any ->$TELNET_SERVER 23 (msg: "SU attempt!"; content: "root"; nocase; flow:from_server, established;)
if I wanted to get something JUST from the server, but that doesn't seem to work!
If someone could enlighten a poor admin like me, I'd appreciate it! I'm sure it's something small and obvious that I'm missing. Thanks in advance!
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users