[Snort-users] need help understanding the "flow:" keyword

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...11338...
Wed Jan 5 07:12:43 EST 2005


Happy New Year!

With the start of the new year, I decided to fetch the latest copy of the bleedingsnort.com rules.  And to my surprize, none of the rules fired, and I'm pretty sure that we didn't clean all the "crap" off the company PCs during the holiday shutdown.  After researching this, I see that many of the rules have been updated to include the "flow:" keyword.

I run my Snort (2.3.0RC2) sensor on the same box as our SUN iProxy (3.6/SP6) web proxy server.  The proxy server also uses SmartFilter (from SecureComputing) to filter web traffic. Both HOME_NET and EXTERNAL_NET are set to "any". I edited the bleeding-all.rules file, and took out all the "flow:" commands, and now Snort is detecting traffic as expected.

I must be missing something, but even after using Google, and reading several examples of flow usage, I'm puzzled.

Thanks




More information about the Snort-users mailing list