sql.rules and instanat messenging

[James Nonya <slave_tothe_box () yahoo com>]

Hello all!

Real quick...wondering what I need to do to get
sql.rules running.  It works like a champ at home, but
not at work :(  External is set to the internal lan as
well as the external netblock...it comes in...even is
seen as a portscan, but no msql rule shows up.  The
box that snort is running on is us is using kernel
bridging to bridge 2 nics on...I have eth0, eth1, and
br0...br0 has an ip, but the other 2 do not.  I'm
binding snort to eth1 which is the external if...any
issues with that maybe?  Also, I have a script that
runs with wots that will add any ip that portscans to
the firewall list for 5 minutes...anything I'm missing
here?

NEXT!

Next is TRYING to content filter instant messaging.  I
stole a rule off of the porn.rules and added:

alert tcp $EXTERNAL_NET 1863 <- $HOME_NET any
(msg:"PORN testingjimbo"; content:"testingjimbo";
nocase; classtype:kickass-porn; sid:1833; rev:1;)

I've tried adding the flow:established and also tried
<-> to track both ends of the session...no go
though..still not seeing it.  Anyone know of what I'm
doing wrong?  Thanks people!

James

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users