Re: does not work local.rules

[Todd Wease <twease () sourcefire com>]

On Tue, 2006-08-08 at 15:34 +0200, repniksz () aviva co hu wrote:
> Hi,  
> I've made a very simple rule in my local.rules:  
> alert tcp any any -> any 8080 ( msg: "Own"; content: "Hello!!!!"; )  
> and after that i've watched a file in my browser on 8080 port, and i
> did not get any alert.  
> The local.rules is in my snort.conf .  
> What is wrong? 

If Snort is listening on the same machine from where you are sending the
traffic from, it's possible that TCP checksum offloading is occuring
where the checksum is not added until it gets to your network interface.
If Snort comes across a packet with an incorrect checksum, the rules
engine will ignore it because it assumes that the packet will be dropped
anyway by the receiver.  Try the command line option "-k notcp" and see
if that works.

Todd


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users