[Snort-users] URI content not being identified

Jelte masterjel5000 at ...125...
Mon May 12 13:30:09 EDT 2014

Thanks for the explanation, Joel. Given the fact that Snort discards
packets with bad checksums by default, I still think it's weird that
without using "-k none" the rules that filtered on a URL-specific value
in the "content" did trigger an alert and the rules that filtered on the
same value "contenturi" did not and that after using "-k none" the 
"uricontent" rules suddenly started generating alerts...

Joel Esler (jesler) schreef op 5/12/2014 3:23 PM:
> On May 9, 2014, at 5:35 PM, Jelte <masterjel5000 at ...125...<mailto:masterjel5000 at ...125...>> wrote:
> The same is also achieved by adding "-k none" as a command line option
> when starting Snort. I have no idea why a change in the behavior of the
> validation of TCP checksums would make the "uricontent" and "http_uri;"
> rules suddenly work. Also because the "content" filter in the rules DID
> work before. Anyway, I'm glad it works now, but if anyone has an
> explanation of what caused this behavior, please let me know! Thanks :-)
> Snort validates checksums by default, the checksums are invalid, Snort doesn’t bother inspecting the packet.  "-k none” shuts this functionality off.
> You must be capturing the packets on the same box that you are attempting the test from.
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team

More information about the Snort-users mailing list