RE: need help understanding the "flow:" keyword

["Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>]

-----Original Message-----
From:   Frank Knobbe [mailto:frank () knobbe us]
Sent:   Wed 01/05/2005 04:04 PM
To:     Miner, Jonathan W (CSC) (US SSA)
Cc:     snort-users () lists sourceforge net
Subject:        RE: [Snort-users] need help understanding the "flow:" keyword

On Wed, 2005-01-05 at 13:46 -0500, Miner, Jonathan W (CSC) (US SSA)
wrote:
> > I do have the flow preprocessor enabled, same line in snort.conf as
> > you have in your email.
> [...]
> I am running 2.3RC2... I upgraded to that yesterday.
>
> It appears that none of the flow sigs fire.

That is very strange. I'm running 2.3.0RC2 (build 9) with flow
preprocessor enabled, and my bleeding (and normal Snort rules) that
contain flow alert just fine.

Last thing to check... do you have a -z in the Snort command line? If
so, take that out and see if that makes difference.

Regards,
Frank
-----End Original Message-----

My snort command line is:

snort -b -c ../rules/snort.conf -l /var/log/snort -A fast -D


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users