Re: URI content not being identified

["Joel Esler (jesler)" <jesler () cisco com>]

On May 9, 2014, at 5:35 PM, Jelte <masterjel5000 () hotmail com<mailto:masterjel5000 () hotmail com>> wrote:

The same is also achieved by adding "-k none" as a command line option
when starting Snort. I have no idea why a change in the behavior of the
validation of TCP checksums would make the "uricontent" and "http_uri;"
rules suddenly work. Also because the "content" filter in the rules DID
work before. Anyway, I'm glad it works now, but if anyone has an
explanation of what caused this behavior, please let me know! Thanks :-)

Snort validates checksums by default, the checksums are invalid, Snort doesn’t bother inspecting the packet.  "-k none” 
shuts this functionality off.

You must be capturing the packets on the same box that you are attempting the test from.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!