Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Kill current session with Snort/Snortsam

From: "Vincent Corriveau" <Vincent.Corriveau () criq qc ca>
Date: Sun, 15 Sep 2002 22:20:33 -0400
I want to deny MSN Messenger access to my internal 
users. How I must do for stopping access to MSN Messenger to the 
user
without blocking anything else (for exemple: HTTP, NNTP, Telnet) for the 
same user.
I don't want to block external MSN servers for all users 
because I think they are used
by hotmail.com. I try the following rule but all (HTTP, NNTP...) is 
denied. ruletype bloquer
 {
  type alert 
output
  output alert_fwsam: x.x.x.x/y
  output alert_full: 
/var/log/snort/alert_fwsam.txt
 } bloquer tcp $HOME_NET any -> $EXTERNAL_NET 80 
\
 ( \
  msg:"MSN Poll - HTTP"; \
  
uricontent:"/gateway/gateway.dll?Action=poll"; offset:0; depth:90; \
  
flags:PA; \
  fwsam: this, 60 seconds; \
  ) 

I use Snort 1.8.7 and Snortsam 1.13 plugin
Thanks !
Vincent C


-------------------------------------------------------
Sponsored by: AMD - Your access to the experts on Hammer Technology!
Open Source & Linux Developers, register now for the AMD Developer
Symposium. Code: EX8664 http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: