Block packages

[Carlos Illana <sistemas () holisticas com>]

Hi all,

I'm a new snort user. I've finally installed and configured snort version 
1.8.1.
I'm alerted now form packages that match the expresions of the rules, but 
I'm really tired of red code attacks in my web server log and I want to 
block all these IP packages.

I have the following rule:
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS552/web-iis_IIS ISAPI 
Overflow ida";dsize:>239;flags:A+;content:".ida?")

It alert me from the attack, but it doesn't block the package.

I have tried:

alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS552/web-iis_IIS ISAPI 
Overflow ida";dsize:>239;flags:A+;content:".ida?";react: block, msg;)

But snort complains about react is not a recognized keyword, in spite of 
what is in the manual 
(http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24).

Do I have to use Guardian or something similar???? Can I simple reject 
all packages that match the rules or snort is sniffing packages in 
parallel with the package routing???

Thanx in advance,

Carlos

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users