Snort mailing list archives
Re: [Hogwash-devel] Re: what is the difference between these rules!??!?!
From: funky <azimlinux () yahoo com>
Date: Mon, 5 Aug 2002 00:29:45 -0700 (PDT)
Hi, I'm making the test at my home using ppp0 for external interface and eth0 for internal interface. It works at all:) Can you explain my my the porn.rules ruleseare written as below: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any /
(msg:"Game site in not allowed!!";content:"tavla";nocase;flags:A+)
this is only for making alerts and loggging?!?! If i wanna block a site, i.e. www.site.com , how can it be made?!? Is the solution below is good?? Or can you tell me a better rule!? : drop tcp any any <> any any /
(msg:"Game site is not allowed!!";content:"www.site.com";)
thanx funky --- Matt Kettler <mkettler () evi-inc com> wrote:
How are you physically configured? Is the network traffic in question running *through* your snort box (ie: the machine running snort acts as a router with 2 network cards), or alongside it? Hogwash will only work if your snort box is an in-line router, and will not work as a single-interface side-monitor connected via a hub or ethernet tap. Hogwash will only work if configured like this: internet ---- snort_hogwash_machine --- protected machine it will not work like this: internet ------ hub/tap ------ "protected" machine (not really protected) | snort_hogwash_machine. The second setup works for normal snorting, but does not work for hogwashing since the snort machine can only see the packets in question, it can't block them since it's not "in line". If the second case is your only possible configuration, your best bet is flexresp, but that works by spoofing reset packets and does not work 100% reliably. At 10:42 AM 8/3/2002 -0700, funky wrote:Hi, I'm trying to block some sites using the hogwashpatchfor Snort. I tried the rule below like the porn.rules: drop tcp $EXTERNAL_NET 80 -> $HOME_NET any / (msg:"Game site in not allowed!!";content:"tavla";nocase;flags:A+) Tyring to enter a web-site froma client, forexemplewww.tavla.com, i can enter that, why!?!??!?! i have to modify the rule like below in order toblockthe site: drop tcp any any <> any any / (msg:"Game site is not allowed!!";content:"tavla";)Now i'M not allowed to enter the sites. So do i have to modify the rules like that which i wanna apply the "drop" option!??!??! Anyone can help me in that case please?!?!? thanx funky Istanbul
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Hogwash-devel mailing list Hogwash-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/hogwash-devel __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- what is the difference between these rules!??!?! funky (Aug 03)
- Re: what is the difference between these rules!??!?! Matt Kettler (Aug 03)
- Re: [Hogwash-devel] Re: what is the difference between these rules!??!?! funky (Aug 05)
- Re: [Hogwash-devel] what is the difference between these rules!??!?! allen (Aug 05)
- Re: what is the difference between these rules!??!?! Matt Kettler (Aug 03)