Re: A question about flow:established keyword

[Erick Mechler <emechler () techometer net>]

:: I believe when we set the value of flow to "established", Snort only
:: looks for that attack after the connection is established (i.e.3-way tcp
:: handshaking is done).

More specifically, it looks for the ACK and some other flag set (A+).  So, 
if data were being sent in a SYN+ACK packet, Snort would inspect that, too.  
At least, that's what the docs seem to indicate :)

:: Also, I assume that there should be a time-out for TCP sessions (i.e.
:: after the session is idle for a period of time, it would be considered as
:: dead and the memory assigned to it including the session data and status
:: will be de-allocated).

Yup, right again.  All of your answers are in the docs:

http://www.snort.org/docs/writing_rules/chap2.html#stream%204%20section

Cheers - Erick


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users