Snort mailing list archives
Snort react should return HTTP 302 instead of HTTP 403
From: Rishabh Shah <rishabh420 () gmail com>
Date: Thu, 26 Feb 2015 12:37:01 +0530
Hi Snort Team, Is it possible that Snort can return a HTTP 302 page instead of HTTP 403 forbidden when react is configured in the configuration file? I have defined "config react: /var/www/html/block.html" in my configuration file and my traffic hits the following rule: reject tcp any any -> any any (msg:"Illegal access"; appid: facebook; sid: 1020120; rev: 1; react: msg;) On my windows client, I receive an HTTP 403 forbidden after sending a facebook request as shown in the packet capture below: GET / HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: www.facebook.com Connection: Keep-Alive Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l *HTTP/1.1 403 Forbidden* *Connection: close* *Content-Type: text/html; charset=utf-8* *Content-Length: 99* *<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p> </body> </html>* <^Content of block.html> But I want Snort to return HTTP 302 instead of HTTP 403, as the above message doesn't get displayed in the browser when the response is HTTP 403. I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c" (replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved Temporarily*\r\n )and did a make/make install to update the sp.react.o (object file). But I am still receiving HTTP 403. Kindly let me know if I am missing anything. Thank You! Regards, Rishabh Shah.
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Feb 25)
- Re: Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Mar 02)
- Re: Snort react should return HTTP 302 instead of HTTP 403 Russ (Mar 02)
- Re: Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Mar 03)