[Snort-users] question for snort flow established
wkitty42 at ...14940...
Sat Mar 16 16:00:21 EDT 2013
On 3/16/2013 10:10, zhaojunling_20 wrote:
> Dear All,
> I have a little question, if I installed snort on my web server<ipaddress
> 10.2.11.2> which has only one ethernet interface and snort inspect the
> interface, does "flow with option established" work or not?
yes... it has to as several tens of thousands of rules use it ;)
> I have tested the below rule with
> ----http://10.2.11.2/test.php?user=Zango/Setup.exe, no alert arised.
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
what does your $HTTP_SERVERS and $HTTP_PORTS vars contain from your snort.conf??
> installation request"; content:"Zango/Setup.exe";flow: to_server,established;
> classtype:policy-violation; sid:10000019; rev:3;)
> appreciate your help~
More information about the Snort-users