[Snort-users] Snort daq / nfq / "content: " not working...

Jesko Mägle jesko at ...15482...
Fri Dec 30 05:08:40 EST 2011


first of all, I want to say "Hi" to this great group. I was reading a 
lot of posts, and got a lot of good ideas from it... Thanks :)

But now I have a problem I can't solve on my own, maybe someone has an idea?

I'm testing snort on a gentoo-machine. snort 2.9.1 to be exact. After a 
lot of reading and some eye-openers concerning daq I'm stuck with the 
following problem:

I have a rule "drop tcp any any <> any any ( msg:"Works"; 
sid:10000009;rev:1;)" - this rule works - just everything is dropped...  
In the next step i added "content: www.youtube.com"; to it - and - it 
doesn't work.

I use the default snort.conf from the vrt-team, i tried the 
gentoo-snort.conf - experimented with the http_inspect preprocessor ( 
read something that this might be the issue... ) - but - im stuck.

Any ideas where I can look, what I can do?



Höfinger Straße 35
D-71254 Ditzingen
Telefon +49 (0) 7156 9103872
Mobil +49 (0) 172 7629270
http://www.maegle.de | jesko at ...15482... <mailto:jesko at ...15482...>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111230/c238a69f/attachment.html>

More information about the Snort-users mailing list