[Snort-users] question for snort flow established

zhaojunling_20 zhaojunling_2000 at ...7427...
Sat Mar 16 11:10:47 EDT 2013


Dear All,


I have a little question, if I installed snort on my web server<ipaddress 10.2.11.2> which has only one ethernet interface and snort inspect the interface, does "flow with option established" work or not?


I have tested the below rule with ----http://10.2.11.2/test.php?user=Zango/Setup.exe, no alert arised.
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware installation request"; content:"Zango/Setup.exe";flow: to_server,established; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:10000019; rev:3;)
appreciate your help~


Junling Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130316/be714a0b/attachment.html>


More information about the Snort-users mailing list