[Snort-users] question for snort flow established

waldo kitty wkitty42 at ...14940...
Sat Mar 16 16:00:21 EDT 2013


On 3/16/2013 10:10, zhaojunling_20 wrote:
> Dear All,
>
> I have a little question, if I installed snort on my web server<ipaddress
> 10.2.11.2> which has only one ethernet interface and snort inspect the
> interface, does "flow with option established" work or not?

yes... it has to as several tens of thousands of rules use it ;)

> I have tested the below rule with
> ----http://10.2.11.2/test.php?user=Zango/Setup.exe, no alert arised.
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware

what does your $HTTP_SERVERS and $HTTP_PORTS vars contain from your snort.conf??

> installation request"; content:"Zango/Setup.exe";flow: to_server,established;
> reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
> classtype:policy-violation; sid:10000019; rev:3;)
> appreciate your help~





More information about the Snort-users mailing list