Snort mailing list archives
Re: Block packets using snort with pf_ring
From: Lavanya Kumar <lavanyakumar84 () gmail com>
Date: Sat, 3 Oct 2015 17:30:01 +0530
Hello, yes my sensor is Inline, i tried that command but it doesn't work for me.Althrough i am sure that my rule is working because the same rule block the packets when i am running "snort in daq --nfq mode".i used the same rule in snort with pf_ring. Is it possible to block specific urls using pfring and snort Inline ? for example: drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook is Blocked" ; sid : 200001 ; rev : 1; resp: reset_both;) On Tue, Sep 29, 2015 at 4:34 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Is your sensor inline? You can test to see if the rule will drop by running snort something like this: ./bin/snort -c etc/test.conf -Q --daq dump --daq-var load-mode=read-file -r etc/test.pcap -l. -H -U -k none -q The daq will dump an inline-out.pcap that you can look at and see the reset packets in there. I just tested this on a rule and it works. Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Lavanya Kumar [mailto:lavanyakumar84 () gmail com] *Sent:* Tuesday, September 29, 2015 1:17 AM *To:* snort-users () lists sourceforge net; Al Lewis (allewi) *Subject:* Fwd: [Snort-users] Block packets using snort with pf_ring Thanks for your reply, i have changed my rule according to your suggestion,but it doesn't work.here is my rule. drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook is Blocked" ; sid : 200001 ; rev : 1; resp: reset_both;) my query is i would like to block some of the urls viz facebook,youtube,etc ..,within the network.I configured my server at router level and 1 client machines were connected to this server. Those machines should not allowed to access specified urls. I would like to achieve this using pf_ring without any packet loss. 09/28-14:23:45.058089 [Drop] [**] [1:200001:1] Facebook is Blocked [**] [Priority: 1] i am getting this alert on the server machine but the client could access the website. Previously, i could achieve this using daq -nfq module. Thanks,
-- @kumar@
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Block packets using snort with pf_ring Lavanya Kumar (Oct 03)
- Re: Block packets using snort with pf_ring Lavanya Kumar (Oct 05)