Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Flow Established Help

from [Ramon L. Fernandez] Network Security [Permanent Link]
Subject: [Snort-users] Flow Established Help
Date: Mon, 9 Jan 2006 02:20:41 -0500 
Hello,

 

I had a question about the use of flow:established in the context of snort
rules.

 

How does snort interpret an established session? Does it utilize traffic in
both directions or can still understand an established connection from
unidirectional traffic? 

 

A hypothetical situation would be a http connection negotiation where the
part or all of the server response is dropped by snort. Would snort still be
able to understand that the session was established based off unidirectional
communications or would snort assume the session was not established and
pass the packet with malicious content.

 

If it did pass on the packet, would snort also pass if the flow:to_server
option was instead substituted?

 


From what I have read in the FAQ about switched environments, not being able

to see RX and TX traffic causes a drawback of being unable to perform
stateful analysis, but then it says a workaround is to monitor RX traffic
only on a gigabit switch. This seems contradictory to me, so I am simply
seeking clarification.

 

If this question seems elementary, I apologize. I am new to utilizing snort,
but I do research, and from plenty of time at google and reading what I
found, I could not find a clear answer. Any help would be much appreciated!

 

Cheers,

 

Ramon Fernandez
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Interpretation of "offset" in context of "uricontent" keyword, Jason
Next by Date:  [Snort-users] IDS Policy Manager trouble, Larry Wichman
Previous by Thread:  [Snort-users] Interpretation of "offset" in context of "uricontent" keyword, Intru Defender
Next by Thread:  RE: [Snort-users] Flow Established Help, Ramon L. Fernandez
Indexes:  [Date] [Thread] [Top] [All Lists]