Snort mailing list archives
React Rule Trouble
From: Daniel Ayoub <daniel () ayoub it>
Date: Fri, 19 Sep 2014 12:12:30 -0700
Hi, I'm having some trouble getting 'react' rules to work properly. Hoping someone can offer guidance on how to get HTTP hijacking to function properly. Trying to redirect to block page when specific URLs are attempted to be accessed. Not sure if issue is with the way my rule is formatted or the way my configuration is set. Running snort as inline IPS on transparent bridge; all rules are set to 'reject'. Here's my install info... Version 2.9.6.2 GRE (Build 77) Using libpcap version 1.5.3 Using PCRE version: 8.35 2014-04-04 Using ZLIB version: 1.2.8 Snippet from config... config react: ../../overlay/rules/block.html config daq: afpacket config daq_mode: inline config daq_var: buffer_size_mb=250 Snort is started with... snort -c /etc/snort/snort.conf -i eth0:eth1 -Q -D Here's the rule I'm testing --- reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URL - Pornography";flow: to_server,established;content:"playboy.com";classtype: policy-violation;sid:9999; react: msg;) The log correctly shows that the rule is triggered -- 09/19-18:40:04.625305 [Drop] [**] [1:9999:0] BLACKLIST URL - Pornography [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.254.168:43847 -> 204.74.99.100:80 The page is correctly blocked and the incident is correctly logged however there are 2 problems. 1. The redirect / react page I added (block.html) is not being displayed. 2. As soon as I test this rule, all other traffic also stops flowing requiring me to kill and restart Snort. (Snort is still running according to 'top' but no traffic is flowing). If I comment out rule and 'react' line in config file then restart snort everything works fine again and I can access the URL without issue. Thanks, Daniel
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- React Rule Trouble Daniel Ayoub (Sep 19)