Re: [Snort-users] does not work local.rules
This is a discussion on Re: [Snort-users] does not work local.rules within the Snort forums, part of the System Security and Security Related category; On Tue, 2006-08-08 at 15:34 +0200, repniksz@aviva.co.hu wrote: > > Hi, > I've ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-08-2006
|
|||
|
|||
Re: [Snort-users] does not work local.rules
On Tue, 2006-08-08 at 15:34 +0200, repniksz@aviva.co.hu wrote:
> > Hi, > I've made a very simple rule in my local.rules: > alert tcp any any -> any 8080 ( msg: "Own"; content: "Hello!!!!"; ) > and after that i've watched a file in my browser on 8080 port, and i > did not get any alert. > The local.rules is in my snort.conf . > What is wrong? If Snort is listening on the same machine from where you are sending the traffic from, it's possible that TCP checksum offloading is occuring where the checksum is not added until it gets to your network interface. If Snort comes across a packet with an incorrect checksum, the rules engine will ignore it because it assumes that the packet will be dropped anyway by the receiver. Try the command line option "-k notcp" and see if that works. Todd ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
