Snort mailing list archives
Re: URI content not being identified
From: Jelte <masterjel5000 () hotmail com>
Date: Mon, 12 May 2014 19:30:09 +0200
Thanks for the explanation, Joel. Given the fact that Snort discards packets with bad checksums by default, I still think it's weird that without using "-k none" the rules that filtered on a URL-specific value in the "content" did trigger an alert and the rules that filtered on the same value "contenturi" did not and that after using "-k none" the "uricontent" rules suddenly started generating alerts... Joel Esler (jesler) schreef op 5/12/2014 3:23 PM:
On May 9, 2014, at 5:35 PM, Jelte <masterjel5000 () hotmail com<mailto:masterjel5000 () hotmail com>> wrote: The same is also achieved by adding "-k none" as a command line option when starting Snort. I have no idea why a change in the behavior of the validation of TCP checksums would make the "uricontent" and "http_uri;" rules suddenly work. Also because the "content" filter in the rules DID work before. Anyway, I'm glad it works now, but if anyone has an explanation of what caused this behavior, please let me know! Thanks :-) Snort validates checksums by default, the checksums are invalid, Snort doesn’t bother inspecting the packet. "-k none” shuts this functionality off. You must be capturing the packets on the same box that you are attempting the test from. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- URI content not being identified Jelte (May 08)
- Re: URI content not being identified Y M (May 08)
- Re: URI content not being identified Jelte (May 08)
- Re: URI content not being identified Y M (May 08)
- Re: URI content not being identified Jelte (May 09)
- Message not available
- Re: URI content not being identified Jelte (May 09)
- Message not available
- Message not available
- Re: URI content not being identified Jelte (May 09)
- Re: URI content not being identified Joel Esler (jesler) (May 12)
- Re: URI content not being identified Jelte (May 12)
- Re: URI content not being identified Jelte (May 08)
- Re: URI content not being identified Y M (May 08)