Snort mailing list archives
Block packages
From: Carlos Illana <sistemas () holisticas com>
Date: Fri, 07 Sep 2001 07:08:18 GMT
Hi all, I'm a new snort user. I've finally installed and configured snort version 1.8.1. I'm alerted now form packages that match the expresions of the rules, but I'm really tired of red code attacks in my web server log and I want to block all these IP packages. I have the following rule: alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS552/web-iis_IIS ISAPI Overflow ida";dsize:>239;flags:A+;content:".ida?") It alert me from the attack, but it doesn't block the package. I have tried: alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS552/web-iis_IIS ISAPI Overflow ida";dsize:>239;flags:A+;content:".ida?";react: block, msg;) But snort complains about react is not a recognized keyword, in spite of what is in the manual (http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24). Do I have to use Guardian or something similar???? Can I simple reject all packages that match the rules or snort is sniffing packages in parallel with the package routing??? Thanx in advance, Carlos _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Block packages Carlos Illana (Sep 07)