[Snort-users] URI content not being identified

Joel Esler (jesler) jesler at ...589...
Mon May 12 09:23:03 EDT 2014

On May 9, 2014, at 5:35 PM, Jelte <masterjel5000 at ...125...<mailto:masterjel5000 at ...125...>> wrote:

The same is also achieved by adding "-k none" as a command line option
when starting Snort. I have no idea why a change in the behavior of the
validation of TCP checksums would make the "uricontent" and "http_uri;"
rules suddenly work. Also because the "content" filter in the rules DID
work before. Anyway, I'm glad it works now, but if anyone has an
explanation of what caused this behavior, please let me know! Thanks :-)

Snort validates checksums by default, the checksums are invalid, Snort doesn’t bother inspecting the packet.  "-k none” shuts this functionality off.

You must be capturing the packets on the same box that you are attempting the test from.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140512/10d629be/attachment.html>

More information about the Snort-users mailing list