Re: Are the rules not being read?

[Eric Zheng <zhengeric () hotmail com>]

Alex Kirk's suggestion has fixed my problem, and Snort now picks up packets like I wanted it to.  Many kudos!

Date: Mon, 26 Apr 2010 21:23:12 -0400
Subject: Re: [Snort-users] Are the rules not being read?
From: akirk () sourcefire com
To: zhengeric () hotmail com

No problem, glad to help. If you wouldn't mind cc'ing the list, people generally appreciate knowing when a problem has 
been solved. :-)

On Mon, Apr 26, 2010 at 6:42 PM, Eric Zheng <zhengeric () hotmail com> wrote:






Yes, that fixes things.  I'm seeing snort alerts pop up whenever I run MSN now.  Thank you so much :)

Date: Mon, 26 Apr 2010 07:47:20 -0400
Subject: Re: [Snort-users] Are the rules not being read?
From: akirk () sourcefire com

To: zhengeric () hotmail com
CC: snort-users () lists sourceforge net


Are you running Snort on the same machine that's doing the chatting? Most operating systems do something called TCP 
checksum offloading, where the checksum is calculated on the network card on the packet's way out to its destination. 
Since Snort will snag the packet from libpcap before it hits the network card, the checksum will not have been 
calculated yet, and will thus be incorrect.  Since Snort's default behavior is to ignore packets with broken checksums, 
it will not alert on these packets. Try running with "-k none" to skip checksums and see if that fixes things. 




On Apr 26, 2010 3:19 AM, "Eric Zheng" <zhengeric () hotmail com> wrote:






I have set up snort successfully and I can get it to read pings to websites and scan packets.  However, I am testing 
out the chat rules which should trigger an alert whenever I sign onto MSN or Yahoo but it does not seem to do anything 
whenever I sign in and talk to people.  I have it enabled in snort.conf (took away the # sign) and see that chat.rules 
is in the rules directory.  Anyone know any possible causes of this?  Thank you.



PS:  I'm also getting a lot of 1384 "malformed advertisement" alerts which I believe to be false positives.  Any way to 
correct this?  Thanks.
                                          
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy.



------------------------------------------------------------------------------


_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

                                          
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more.



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
                                          
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users