[Snort-users] need help understanding the "flow:" keyword
Miner, Jonathan W (CSC) (US SSA)
jonathan.w.miner at ...11338...
Wed Jan 5 07:12:43 EST 2005
Happy New Year!
With the start of the new year, I decided to fetch the latest copy of the bleedingsnort.com rules. And to my surprize, none of the rules fired, and I'm pretty sure that we didn't clean all the "crap" off the company PCs during the holiday shutdown. After researching this, I see that many of the rules have been updated to include the "flow:" keyword.
I run my Snort (2.3.0RC2) sensor on the same box as our SUN iProxy (3.6/SP6) web proxy server. The proxy server also uses SmartFilter (from SecureComputing) to filter web traffic. Both HOME_NET and EXTERNAL_NET are set to "any". I edited the bleeding-all.rules file, and took out all the "flow:" commands, and now Snort is detecting traffic as expected.
I must be missing something, but even after using Google, and reading several examples of flow usage, I'm puzzled.
More information about the Snort-users