Snort mailing list archives

Facing problem with react keyword.!

From: parikshit <parikshit () elitecore com>
Date: Sat, 15 Mar 2003 12:14:05 +0530 (GMT+05:30)

Hello , 

 I am facing problem with react keyword . I want to block TCP connection depending on certain keywords in contents. I 
have prepared a content-list file and I think it is okay.

 I want to block sites that have certain keywords in the content.  

 I am writting rule as follows .. 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (content-list:"contentfile.txt";msg:"content list rule violated.Co
nection blocked..";react:block,msg;)

HOME_NET    is the internal physical network.
EXTERNAL_NET is the external world. 
contentfile.txt  is a collection of words one per line that I am looking in the packets for ! 

The rule is not working as I expact. The alerts are generated . but the TCP connections doesn't seems to be blocked.. 

 What should I do  ? 

rgds 
-Parikshit 





-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Facing problem with react keyword.! parikshit (Mar 14)
- Re: Facing problem with react keyword.! Alberto Gonzalez (Mar 15)