[Snort-users] question for snort flow established

zhaojunling_20 zhaojunling_2000 at ...7427...
Sat Mar 16 22:41:52 EDT 2013

Dear friends,

# List of web servers on your network

# List of ports you run web servers on
portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]

At 2013-03-17 04:00:21,"waldo kitty" <wkitty42 at ...14940...> wrote:
>On 3/16/2013 10:10, zhaojunling_20 wrote:
>> Dear All,
>> I have a little question, if I installed snort on my web server<ipaddress
>>> which has only one ethernet interface and snort inspect the
>> interface, does "flow with option established" work or not?
>yes... it has to as several tens of thousands of rules use it ;)
>> I have tested the below rule with
>> ----, no alert arised.
>> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
>what does your $HTTP_SERVERS and $HTTP_PORTS vars contain from your snort.conf??
>> installation request"; content:"Zango/Setup.exe";flow: to_server,established;
>> reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>> classtype:policy-violation; sid:10000019; rev:3;)
>> appreciate your help~
>Everyone hates slow websites. So do we.
>Make your web apps faster with AppDynamics
>Download AppDynamics Lite for free today:
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130317/b3fae919/attachment.html>

More information about the Snort-users mailing list