Snort doesn't react on rules - help a new snort user

[Simon Blixt <blixten_496 () hotmail com>]

Hi,

I am new to Snort and just managed to set up v. 2.9.2 on Ubuntu 10.04. I have now created an own simple rule, just to 
try out my setup. It looks like this:
alert tcp any any -> any any (content:"www.uid11.local""; msg:"First rule test"; sid: 132321;)

And I run snort like this:
/usr/local/lib/snort/bin/snort -u snort -g snort -c /usr/local/lib/snort/etc/snort.conf -i eth1

But it doesn't work! Nothing happens. After I've hit CTRL+C I see that it has controlled xxx packets, but nothing more, 
no drops, alerts etc.

My server running Snort got two interfaces, eth0 and eth1. eth0 got IP 10.10.10.3 and eth1 got 192.168.1.1.

I got a webserver on the network 10.10.10.0-net with IP 10.10.10.1. And I have a client on 192.168.1.0-net with IP 
192.168.1.10.
To make it possible for my client to reach the webserver I've activated IPv4-forwarding in /etc/sysctl.conf on the 
server running Snort.
So the client got 192.168.1.1 as it's default gateway, and the webserver 10.10.10.3.

So my topology looks like this:
[webserver]--------[IPS/Snort]-------------------[client]
10.10.10.1      10.10.10.3   192.168.1.1           192.168.1.10

What else do you need to know? I need your help to figure out what my noobish head don't understand.

Thank you in advance!

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!