Snort mailing list archives
Re: React & Resp keyword working
From: "Atul Shrivastava" <atulsh () hclinsys com>
Date: Tue, 31 Dec 2002 15:54:45 +0530
You can install the snort sensor on the internet network viz one in DMZ, one in MZ, one in hrd and many more and make them centralized. IDS is also used to have an eye on the employees also. SO for me it is necessary to put my IDS on more than one locations and in the internal network. That's why I am interested in such things. Also in big organizations, pepole want to have more than one sensors within their office. So for that pls confider my problem and try to give me some solution. Further if the keywords "RESP" and "REACT" has been introduced in the snort rule base then they must have some intersion to introduce. Can you atleast tell me how can we do URL filtering through SNORT using the keyword "REACT" Thanks in advance. Merry Christmas and a fruitful new year ....... Regards and have a nice day, Atul Shrivastava Info Structure Services HCL INFOSYSTEMS LTD. E - 4,5,6 Sector XI, Noida - 201301 Tel: 91-120-2526910,2443013 ----- Original Message ----- From: "Alberto Gonzalez" <albertg () cerebro violating us> To: "Atul Shrivastava" <atulsh () hclinsys com> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, December 31, 2002 5:24 PM Subject: Re: [Snort-users] React & Resp keyword working
Well, your saying that they *only* listen on the nw g/w. Well snort is meant to run on the network g/w. Doesn't mean you can't have snort running on the internal interface of the gw which the rest of the machines connect to (HUB scenario)? Hogwash and Snortsam can both do this. Cheers, Alberto Gonzalez Atul Shrivastava wrote:Dear Alberto, Thx for this. I go through the Snortsam and Hogwash, but they doesn't fullfill my requirement. Actually for Hogwash, I have to put my snort box in a pass-through mode between the internal and external n/w and for Snortsam, it only modifies the rules for some firewall which is again at the gateway of the n/w. Let say some internal guy is doing somethink ill-legal, then these two will not work. Suppose I want that no porson in my internal network will not be able to do FTP within the network if the file contains some specified characters or say logging as "root". So for it Snortsam and Hogwash will not be able to detect and take a action according to that. I want that as this guy initialte such things and when the Snort come to know about this then the connection is blocked automatically and a message is send to the user doing that. Merry Christmas and a fruitful new year ....... Regards and have a nice day, Atul Shrivastava Info Structure Services HCL INFOSYSTEMS LTD. E - 4,5,6 Sector XI, Noida - 201301 Tel: 91-120-2526910,2443013 ------------------------------------------------------------------------ ----- Original Message ----- From: "Alberto Gonzalez" <albertg () cerebro violating us <mailto:albertg () cerebro violating us>> To: "Atul Shrivastava" <atulsh () hclinsys com <mailto:atulsh () hclinsys com>> Sent: Tuesday, December 31, 2002 1:44 PM Subject: Re: [Snort-users] React & Resp keyword workingIf you *haven't* compiled snort with flexresp, i think you can answer your own question if they will work. I suggest looking into snortsam for blocking of offending connections. That or Hogwash will do. You can use flexresp but I've seen people bork their networks cause of it. I've played with all three, and my choices will be hogwash and or snortsam for the job. Cheers, Alberto Gonzalez Atul Shrivastava wrote:Hello, I am quiet keen to know about the keyword "RESP" & "REACT" I am working on Snort for a long time and now I need to forcely block the connections which are not legal. So for that I need to use these two keywords. I have got enough knowledge about these two keywordsbutbefore going for it, I would like to ask you that I have not compiled my snort (./configure) with flexresp. So I want to know that whether these rules will work on my machine or not. Further you have told that some message be sent to the user fot it but it will be available soon. I am using the snort verison 1.9.1. Is these facility is available in this verison. Please help me in this issue. Thanks in advance. Merry Christmas and a very happy new year ...... Regards and have a nice day, Atul Shrivastava Info Structure Services HCL INFOSYSTEMS LTD. E - 4,5,6 Sector XI, Noida - 201301 Tel: 91-120-2526910,2443013-- The secret to success is to start from scratch and keep on scratching.-- The secret to success is to start from scratch and keep on scratching.
Current thread:
- React & Resp keyword working Atul Shrivastava (Dec 30)
- Message not available
- Re: React & Resp keyword working Atul Shrivastava (Dec 31)
- Re: React & Resp keyword working Alberto Gonzalez (Dec 31)
- Re: React & Resp keyword working Atul Shrivastava (Dec 31)
- Re: React & Resp keyword working Atul Shrivastava (Dec 31)
- Message not available