Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: i can't block sites with Snort [ OT - a less su cky way to do this ]

From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Thu, 1 Aug 2002 12:44:08 -0500
Totally outside of Snort anyway, but for what you're doing (blocking a list
of inappropriate websites), you'd be a lot better of with Squid
(http://www.squid-cache.org) via transproxy and DansGuardian
(http://www.dansguardian.org). 

Personally, I don't do anything with automated responses and IDS's. I see
them as data-gathering tools with a very looong way to go before we'll
really see any of that "Adaptive Network Security" we keep hearing about. I
do kill a couple common URI's at my firewalls (cmd.exe, root.exe, etc.), but
that's about it. 





--shawn



-----Original Message-----
From: Skip Carter [mailto:skip () taygeta com]
Sent: Thursday, August 01, 2002 12:01
To: funky
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] i can't block sites with Snort 




I wrote a rule like below:

alert tcp $HOME_NET any -> any 80
( content-list:"game.txt"; msg:"Interdit!!!";
react:block;msg;)

Like that when i run snort, it didn't block the sites,
that contains the words i mentioned in the "game.txt"
file. 

I tried to apply "pass" in place of "alert" , but it
didn'r worked neither.

Any idea?!??!


      I have never had any luck with 'react' working (on 
OpenBSD) but 'resp' does 
appear
      to work.
 
      In any case, the problem you are having is probably due 
to the fact that most 
http
        connections only involve one or two packets and snort 
is not reponding 
before the connection
        closes anyway.  Snort is responding to that 
particular connection, it 
is not
        acting like a firewall which inspects the packets 
before deciding its 
safe to forward them on.





-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            













-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: