Snort daq / nfq / "content: " not working...

[Jesko Mägle <jesko () maegle de>]

Hi,

first of all, I want to say "Hi" to this great group. I was reading a 
lot of posts, and got a lot of good ideas from it... Thanks :)

But now I have a problem I can't solve on my own, maybe someone has an idea?

I'm testing snort on a gentoo-machine. snort 2.9.1 to be exact. After a 
lot of reading and some eye-openers concerning daq I'm stuck with the 
following problem:

I have a rule "drop tcp any any <> any any ( msg:"Works"; 
sid:10000009;rev:1;)" - this rule works - just everything is dropped...  
Fine.
In the next step i added "content: www.youtube.com"; to it - and - it 
doesn't work.

I use the default snort.conf from the vrt-team, i tried the 
gentoo-snort.conf - experimented with the http_inspect preprocessor ( 
read something that this might be the issue... ) - but - im stuck.

Any ideas where I can look, what I can do?

Greeting,
Jesko

--
JESKO MÄGLE

Höfinger Straße 35
D-71254 Ditzingen
Telefon +49 (0) 7156 9103872
Mobil +49 (0) 172 7629270
http://www.maegle.de | jesko () maegle de <mailto:jesko () maegle de>

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!