Snort mailing list archives
Kill current session with Snort/Snortsam
From: "Vincent Corriveau" <Vincent.Corriveau () criq qc ca>
Date: Mon, 16 Sep 2002 08:30:31 -0400
I want to deny MSN Messenger access to my internal users. How I must do for stopping access to MSN Messenger to the user without blocking anything else (for exemple: HTTP, NNTP, Telnet) for the same user. I don't want to block external MSN servers for all users because I think they are used by hotmail.com. I try the following rule but all (HTTP, NNTP...) is denied. ruletype bloquer { type alert output output alert_fwsam: x.x.x.x/y output alert_full: /var/log/snort/alert_fwsam.txt } bloquer tcp $HOME_NET any -> $EXTERNAL_NET 80 \ ( \ msg:"MSN Poll - HTTP"; \ uricontent:"/gateway/gateway.dll?Action=poll"; offset:0; depth:90; \ flags:PA; \ fwsam: this, 60 seconds; \ ) I use Snort 1.8.7 and Snortsam 1.13 plugin Thanks ! Vincent C
Current thread:
- Kill current session with Snort/Snortsam Vincent Corriveau (Sep 16)
- RE: Kill current session with Snort/Snortsam Raj Wurttemberg (Sep 17)
- <Possible follow-ups>
- Kill current session with Snort/Snortsam Vincent Corriveau (Sep 18)