Snort mailing list archives
RE: i can't block sites with Snort [ OT - a less su cky way to do this ]
From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Thu, 1 Aug 2002 12:44:08 -0500
Totally outside of Snort anyway, but for what you're doing (blocking a list of inappropriate websites), you'd be a lot better of with Squid (http://www.squid-cache.org) via transproxy and DansGuardian (http://www.dansguardian.org). Personally, I don't do anything with automated responses and IDS's. I see them as data-gathering tools with a very looong way to go before we'll really see any of that "Adaptive Network Security" we keep hearing about. I do kill a couple common URI's at my firewalls (cmd.exe, root.exe, etc.), but that's about it. --shawn
-----Original Message----- From: Skip Carter [mailto:skip () taygeta com] Sent: Thursday, August 01, 2002 12:01 To: funky Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] i can't block sites with SnortI wrote a rule like below: alert tcp $HOME_NET any -> any 80 ( content-list:"game.txt"; msg:"Interdit!!!"; react:block;msg;) Like that when i run snort, it didn't block the sites, that contains the words i mentioned in the "game.txt" file. I tried to apply "pass" in place of "alert" , but it didn'r worked neither. Any idea?!??!I have never had any luck with 'react' working (on OpenBSD) but 'resp' does appear to work. In any case, the problem you are having is probably due to the fact that most http connections only involve one or two packets and snort is not reponding before the connection closes anyway. Snort is responding to that particular connection, it is not acting like a firewall which inspects the packets before deciding its safe to forward them on. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: i can't block sites with Snort [ OT - a less su cky way to do this ] Moyer, Shawn (Aug 01)