[Snort-users] flow:established still broken in

Jason Haar Jason.Haar at ...294...
Wed Jun 29 16:57:55 EDT 2011

On 29/06/11 22:47, Joel Esler wrote:
> Are you dropping packets?  I am wondering that, because maybe Snort
> tagged this as a midstream pickup or something.
Nope. snort is running on the proxy server itself, eth0 shows no errors,
and doing a "kill -USR1" shows

Packet I/O Totals:
:    Received:    661036928
:    Analyzed:    661016939 ( 99.997%)
:    Dropped:        19989 (  0.003%)
:    Filtered:            0 (  0.000%)
:    Outstanding:        19989 (  0.003%)
:    Injected:            0

(this is snort- under CentOS-5.6 with "pcap DAQ configured to

> Do you have a pcap?
I have a pcap of the single packet that triggered the event - but not
the first packet of the TCP stream - so I don't think it means much. As
it's HTTPS, I'll attach it

> As a rule writing note, "isset" flowbit checks generally should come
> before content.  I have no idea what this rule does though, but I'd
> want the flowbit check before the content in this case, as it's only a
> two byte match. 
That's an EmergingThreat rule - but that shouldn't matter. snort
shouldn't have matched on a "depth:2" half-way through a tcp stream?

The Big Question is: what does snort do when it "starts" in the middle
of a tcp stream? Does it ignore all "flow" related rules, or does it
(erroneously IMO) treat the first packet it sees as the first packet of
the stream? (your question about packet loss makes me think that is what
is happening?)



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: base_packet_195-47333.pcap
Type: application/x-pcap
Size: 1354 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110630/aaaa84a2/attachment.bin>

More information about the Snort-users mailing list