Snort mailing list archives
Re: Are the rules not being read?
From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 26 Apr 2010 07:47:20 -0400
Are you running Snort on the same machine that's doing the chatting? Most operating systems do something called TCP checksum offloading, where the checksum is calculated on the network card on the packet's way out to its destination. Since Snort will snag the packet from libpcap before it hits the network card, the checksum will not have been calculated yet, and will thus be incorrect. Since Snort's default behavior is to ignore packets with broken checksums, it will not alert on these packets. Try running with "-k none" to skip checksums and see if that fixes things. On Apr 26, 2010 3:19 AM, "Eric Zheng" <zhengeric () hotmail com> wrote: I have set up snort successfully and I can get it to read pings to websites and scan packets. However, I am testing out the chat rules which should trigger an alert whenever I sign onto MSN or Yahoo but it does not seem to do anything whenever I sign in and talk to people. I have it enabled in snort.conf (took away the # sign) and see that chat.rules is in the rules directory. Anyone know any possible causes of this? Thank you. PS: I'm also getting a lot of 1384 "malformed advertisement" alerts which I believe to be false positives. Any way to correct this? Thanks. ------------------------------ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy.<http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4> ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Are the rules not being read? Eric Zheng (Apr 26)
- Re: Are the rules not being read? Alex Kirk (Apr 26)
- Message not available
- Message not available
- Re: Are the rules not being read? Eric Zheng (Apr 26)
- Message not available
- Re: Are the rules not being read? Alex Kirk (Apr 26)
- Re: Are the rules not being read? Joel Esler (Apr 26)