Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: i can't block sites with Snort

From: Skip Carter <skip () taygeta com>
Date: Thu, 01 Aug 2002 10:01:06 -0700


I wrote a rule like below:

alert tcp $HOME_NET any -> any 80
( content-list:"game.txt"; msg:"Interdit!!!";
react:block;msg;)

Like that when i run snort, it didn't block the sites,
that contains the words i mentioned in the "game.txt"
file. 

I tried to apply "pass" in place of "alert" , but it
didn'r worked neither.

Any idea?!??!


        I have never had any luck with 'react' working (on OpenBSD) but 'resp' does 
appear
        to work.
 
        In any case, the problem you are having is probably due to the fact that most 
http
        connections only involve one or two packets and snort is not reponding 
before the connection
        closes anyway.  Snort is responding to that particular connection, it 
is not
        acting like a firewall which inspects the packets before deciding its 
safe to forward them on.





-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            













-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: