Snort mailing list archives
Re: Are the rules not being read?
From: Eric Zheng <zhengeric () hotmail com>
Date: Mon, 26 Apr 2010 20:57:47 -0500
Alex Kirk's suggestion has fixed my problem, and Snort now picks up packets like I wanted it to. Many kudos! Date: Mon, 26 Apr 2010 21:23:12 -0400 Subject: Re: [Snort-users] Are the rules not being read? From: akirk () sourcefire com To: zhengeric () hotmail com No problem, glad to help. If you wouldn't mind cc'ing the list, people generally appreciate knowing when a problem has been solved. :-) On Mon, Apr 26, 2010 at 6:42 PM, Eric Zheng <zhengeric () hotmail com> wrote: Yes, that fixes things. I'm seeing snort alerts pop up whenever I run MSN now. Thank you so much :) Date: Mon, 26 Apr 2010 07:47:20 -0400 Subject: Re: [Snort-users] Are the rules not being read? From: akirk () sourcefire com To: zhengeric () hotmail com CC: snort-users () lists sourceforge net Are you running Snort on the same machine that's doing the chatting? Most operating systems do something called TCP checksum offloading, where the checksum is calculated on the network card on the packet's way out to its destination. Since Snort will snag the packet from libpcap before it hits the network card, the checksum will not have been calculated yet, and will thus be incorrect. Since Snort's default behavior is to ignore packets with broken checksums, it will not alert on these packets. Try running with "-k none" to skip checksums and see if that fixes things. On Apr 26, 2010 3:19 AM, "Eric Zheng" <zhengeric () hotmail com> wrote: I have set up snort successfully and I can get it to read pings to websites and scan packets. However, I am testing out the chat rules which should trigger an alert whenever I sign onto MSN or Yahoo but it does not seem to do anything whenever I sign in and talk to people. I have it enabled in snort.conf (took away the # sign) and see that chat.rules is in the rules directory. Anyone know any possible causes of this? Thank you. PS: I'm also getting a lot of 1384 "malformed advertisement" alerts which I believe to be false positives. Any way to correct this? Thanks. The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more. -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Are the rules not being read? Eric Zheng (Apr 26)
- Re: Are the rules not being read? Alex Kirk (Apr 26)
- Message not available
- Message not available
- Re: Are the rules not being read? Eric Zheng (Apr 26)
- Message not available
- Re: Are the rules not being read? Alex Kirk (Apr 26)
- Re: Are the rules not being read? Joel Esler (Apr 26)