Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Block packets using snort with pf_ring

From: Lavanya Kumar <lavanyakumar84 () gmail com>
Date: Sat, 3 Oct 2015 17:30:01 +0530
Hello,
yes my sensor is Inline,
i tried that command but it doesn't work for me.Althrough i am sure that my
rule is working because the same rule block the packets when i am running
"snort in daq --nfq mode".i used the same rule in snort with pf_ring.
Is it possible to block specific urls using pfring and snort Inline ?
for example:
drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook is
Blocked" ; sid : 200001 ; rev : 1; resp: reset_both;)



On Tue, Sep 29, 2015 at 4:34 PM, Al Lewis (allewi) <allewi () cisco com> wrote:


Is your sensor inline?



You can test to see if the rule will drop by running snort something like
this:



./bin/snort -c etc/test.conf -Q --daq dump --daq-var load-mode=read-file
-r etc/test.pcap -l. -H -U -k none -q



The daq will dump an inline-out.pcap that you can look at and see the
reset packets in there.



I just tested this on a rule and it works.





Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Lavanya Kumar [mailto:lavanyakumar84 () gmail com]
*Sent:* Tuesday, September 29, 2015 1:17 AM
*To:* snort-users () lists sourceforge net; Al Lewis (allewi)
*Subject:* Fwd: [Snort-users] Block packets using snort with pf_ring







Thanks for your reply,

        i have changed my rule according to your suggestion,but it doesn't
work.here is my rule.
drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook is
Blocked" ; sid : 200001 ; rev : 1; resp: reset_both;)

my query is i would like to block some of the urls viz
facebook,youtube,etc ..,within the network.I configured my server at router
level and 1 client machines were connected to this server. Those machines
should not allowed to access specified urls. I would like to achieve this
using pf_ring without any packet loss.



09/28-14:23:45.058089  [Drop] [**] [1:200001:1] Facebook is Blocked [**]
[Priority: 1]



i am getting this alert on the server machine but the client could access
the website.



Previously, i could  achieve this using daq -nfq module.



Thanks,









-- 
@kumar@

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: