[Snort-sigs] problem with Snort-rules not matching [SOLVED]

Simon Blixt blixten_496 at ...12...
Wed Apr 25 02:59:57 EDT 2012


It all works now! I moved my old directories in /usr/local/lib/snort to 
the new compiled place, /home/user/ (don't ask me why it got located 
and started Snort with only "snort" since the new compiled got compiled in the correct "environment-variable".

From: blixten_496 at ...12...
To: snort-sigs at lists.sourceforge.net
Date: Sat, 21 Apr 2012 12:52:42 +0000


I am new to Snort and just managed to set up v. 2.9.2 on Ubuntu 10.04. I have now created an own simple rule, just to try out my setup. It looks like this:
alert tcp any any -> any any (content:"www.uid11.local""; msg:"First rule test"; sid: 132321;)

And I run snort like this:
/usr/local/lib/snort/bin/snort -u snort -g snort -c /usr/local/lib/snort/etc/snort.conf -i eth1

But it doesn't work! Nothing happens. After I've hit CTRL+C I see that it has controlled xxx packets, but nothing more, no drops, alerts etc.

My server running Snort got two interfaces, eth0 and eth1. eth0 got IP and eth1 got

I got a webserver on the network with IP And I have a client on with IP
To make it possible for my client to reach the webserver I've activated IPv4-forwarding in /etc/sysctl.conf on the server running Snort.
So the client got as it's default gateway, and the webserver

So my topology looks like this:

What else do you need to know? I need your help to figure out what my noobish head don't understand.

Thank you in advance! 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120425/c82eb537/attachment.html>

More information about the Snort-sigs mailing list