Re: [Hogwash-devel] Re: what is the difference between these rules!??!?!

[funky <azimlinux () yahoo com>]

Hi,

I'm making the test at my home using ppp0 for external
interface and eth0 for internal interface. It works at
all:)

Can you explain my my the porn.rules ruleseare written
as below:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> > (msg:"Game site in not
> > allowed!!";content:"tavla";nocase;flags:A+)

this is only for making alerts and loggging?!?!
If i wanna block a site, i.e. www.site.com , how can
it be made?!? Is the solution below is good?? Or can
you tell me a better rule!? :
drop tcp any any <> any any /
> > (msg:"Game site is not allowed!!";
> content:"www.site.com";)

thanx

funky



--- Matt Kettler <mkettler () evi-inc com> wrote:
> How are you physically configured? Is the network
> traffic in question 
> running *through* your snort box (ie: the machine
> running snort acts as a 
> router with 2 network cards), or alongside it?
> Hogwash will only work if 
> your snort box is an in-line router, and will not
> work as a 
> single-interface side-monitor connected via a hub or
> ethernet tap.
>
>
> Hogwash will only work if configured like this:
>
> internet ---- snort_hogwash_machine ---  protected
> machine
>
> it will not work like this:
>
> internet ------ hub/tap ------ "protected" machine
> (not really protected)
>                  |
>           snort_hogwash_machine.
>
> The second setup works for normal snorting, but does
> not work for 
> hogwashing since the snort machine can only see the
> packets in question, it 
> can't block them since it's not "in line". If the
> second case is your only 
> possible configuration, your best bet is flexresp,
> but that works by 
> spoofing reset packets and does not work 100%
> reliably.
>
>
>
> At 10:42 AM 8/3/2002 -0700, funky wrote:
>
> > Hi,
> >
> > I'm trying to block some sites using the hogwash
> patch
> > for Snort.
> >
> > I tried the rule below like the porn.rules:
> >
> > drop tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> > (msg:"Game site in not
> > allowed!!";content:"tavla";nocase;flags:A+)
> >
> > Tyring to enter a web-site froma client, for
> exemple
> > www.tavla.com, i can enter that, why!?!??!?!
> > i have to modify the rule like below in order to
> block
> > the site:
> >
> > drop tcp any any <> any any /
> > (msg:"Game site is not allowed!!";
> content:"tavla";)
> > Now i'M not allowed to enter the sites.
> > So do i have to modify the rules like that which i
> > wanna apply the "drop" option!??!??!
> >
> > Anyone can help me in that case please?!?!?
> >
> > thanx
> >
> > funky
> > Istanbul
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Hogwash-devel mailing list
> Hogwash-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/hogwash-devel


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users