[Snort-users] Are the rules not being read?

Eric Zheng zhengeric at ...125...
Mon Apr 26 21:57:47 EDT 2010

Alex Kirk's suggestion has fixed my problem, and Snort now picks up packets like I wanted it to.  Many kudos!

Date: Mon, 26 Apr 2010 21:23:12 -0400
Subject: Re: [Snort-users] Are the rules not being read?
From: akirk at ...1935...
To: zhengeric at ...125...

No problem, glad to help. If you wouldn't mind cc'ing the list, people generally appreciate knowing when a problem has been solved. :-)

On Mon, Apr 26, 2010 at 6:42 PM, Eric Zheng <zhengeric at ...125...> wrote:

Yes, that fixes things.  I'm seeing snort alerts pop up whenever I run MSN now.  Thank you so much :)

Date: Mon, 26 Apr 2010 07:47:20 -0400
Subject: Re: [Snort-users] Are the rules not being read?
From: akirk at ...1935...

To: zhengeric at ...125...
CC: snort-users at lists.sourceforge.net

Are you running Snort on the same machine that's doing the chatting? Most operating systems do something called TCP checksum offloading, where the checksum is calculated on the network card on the packet's way out to its destination. Since Snort will snag the packet from libpcap before it hits the network card, the checksum will not have been calculated yet, and will thus be incorrect.  Since Snort's default behavior is to ignore packets with broken checksums, it will not alert on these packets. Try running with "-k none" to skip checksums and see if that fixes things. 

On Apr 26, 2010 3:19 AM, "Eric Zheng" <zhengeric at ...125...> wrote:

I have set up snort successfully and I can get it to read pings to websites and scan packets.  However, I am testing out the chat rules which should trigger an alert whenever I sign onto MSN or Yahoo but it does not seem to do anything whenever I sign in and talk to people.  I have it enabled in snort.conf (took away the # sign) and see that chat.rules is in the rules directory.  Anyone know any possible causes of this?  Thank you.

PS:  I'm also getting a lot of 1384 "malformed advertisement" alerts which I believe to be false positives.  Any way to correct this?  Thanks.
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy.



Snort-users mailing list

Snort-users at lists.sourceforge.net

Go to this URL to change user options or unsubscribe:


Snort-users list archive:


Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more.

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...1935...
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100426/862c9753/attachment.html>

More information about the Snort-users mailing list