Snort mailing list archives
Re: help - React keyword use to display message on web browser
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 28 Mar 2016 10:50:45 +0000
Sure. Inline-out.pcap is attached as well as the example I used to get the page to generate. I ran it with: ./bin/snort -c etc/TEST.conf -Q --daq dump --daq-var load-mode=read-file -r etc/TEST.pcap -l. -k none -q Try this and see if you can get the page to generate. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Amul Patel [mailto:amulpatel.biz () gmail com] Sent: Monday, March 28, 2016 3:32 AM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] help - React keyword use to display message on web browser Thanks Albert quick update, I am using NFQ as data packet source & already check parallel tcpdump command on given interface and generated .pcap file. I opened pcap in wire-shark tool but I did not see any packet related to message on pcap file. It seems snort is not sending message. Do you have any sample pcap file which show the message is sent by snort for the reference ? Thanks , Amul Patel On Fri, Mar 25, 2016 at 6:04 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: Hello, Try running snort with “--daq dump --daq-var load-mode=read-file -Q” so it will dump a file “inline-out.pcap”. You can check that file to see if the page is being sent. That should tell you if there is something wrong with the config or network related. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Amul Patel [mailto:amulpatel.biz () gmail com<mailto:amulpatel.biz () gmail com>] Sent: Friday, March 25, 2016 5:59 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] help - React keyword use to display message on web browser Hello Team, I need help to use of react keyword to display message (default or user defined) to web browser. I am using snort version 2.9.8.0 in linux machine. I have enabled required command option during configuration as mentioned below: ./configure --enable-active-response --enable-react --enable-flexresp3 \ I am executing snort as inline mode - /usr/bin/snort -Q -k none -v -dev -c /etc/snort/snort.conf following the rule i am using drop tcp any any -> any any (msg: "GET Packet is not allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879;react,msg) It is blocking & logging the message in csv log file but does not send default message or rule message to browser. Just a "connection reset" message is displayed at web browser. Even I tried lot of different options with different rule, changed sid, no msg keyword with react, snort in tap mode etc but does not work any option. I checked react.c file where default HTTP & HTML page is declared .. tried to understand code as well to see if any bug there.. Can any one help me out to display message on web browser ? Does any firewall rule is also needed or any other setting apart from snort ? Thanks in Advanced, Regards, Amul Patel -- Thanks & Regards, Amul Patel 07875648886
Attachment:
TEST.pcap
Description: TEST.pcap
Attachment:
TEST.conf
Description: TEST.conf
Attachment:
inline-out.pcap
Description: inline-out.pcap
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- help - React keyword use to display message on web browser Amul Patel (Mar 25)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 25)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 29)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 30)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 29)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
- Re: help - React keyword use to display message on web browser wkitty42 (Mar 31)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 25)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)