[Snort-users] does not work local.rules

Todd Wease twease at ...1935...
Tue Aug 8 10:12:06 EDT 2006


On Tue, 2006-08-08 at 15:34 +0200, repniksz at ...13889... wrote:
> 
> Hi,  
> I've made a very simple rule in my local.rules:  
> alert tcp any any -> any 8080 ( msg: "Own"; content: "Hello!!!!"; )  
> and after that i've watched a file in my browser on 8080 port, and i
> did not get any alert.  
> The local.rules is in my snort.conf .  
> What is wrong? 

If Snort is listening on the same machine from where you are sending the
traffic from, it's possible that TCP checksum offloading is occuring
where the checksum is not added until it gets to your network interface.
If Snort comes across a packet with an incorrect checksum, the rules
engine will ignore it because it assumes that the packet will be dropped
anyway by the receiver.  Try the command line option "-k notcp" and see
if that works.

Todd





More information about the Snort-users mailing list