[Snort-users] No Alers In Windows: Problem with the 'established' flow control element

Mike Mike at ...12183...
Fri Jul 30 14:51:08 EDT 2004

I have been having problems for the past few days getting snort to work
correctly in windows, mainly getting it to pick up alerts.  After fooling
with some alerts myself to try and debug it, it seems that snort has some
problem with the "flow:established" option.  For some reason snort is
incorrectly tracking established connections and when I make (for example) a
web request to domain.com/cmd.exe it will only pick up the attack if I
remove the established keyword.  

Here is my original mail which contains all the info so I don't forward a
ton of stuff again:

It seems this was mentioned a long time ago on the mailing list, but without

Along with a lot of info on google:

However I can't find if anyone ever resolved this in windows.  So any help
would be great!


More information about the Snort-users mailing list