Re: React & Resp keyword working

["Atul Shrivastava" <atulsh () hclinsys com>]

You can install the snort sensor on the internet network viz one in DMZ, one in MZ, one in hrd and many more and make 
them centralized. IDS is also used to have an eye on the employees also. SO for me it is necessary to put my IDS on 
more than one locations and in the internal network. That's why I am interested in such things.
Also in big organizations, pepole want to have more than one sensors within their office. So for that pls confider my 
problem and try to give me some solution.
Further if the keywords "RESP" and "REACT" has been introduced in the snort rule base then they must have some 
intersion to introduce. Can you atleast tell me how can we do URL filtering through SNORT using the keyword "REACT"
Thanks in  advance.

Merry Christmas and a fruitful new year .......
Regards and have a nice day,
                           Atul Shrivastava
                           Info Structure Services
                           HCL INFOSYSTEMS LTD.
                           E - 4,5,6 Sector XI,
                           Noida - 201301
                           Tel: 91-120-2526910,2443013


----- Original Message ----- 
From: "Alberto Gonzalez" <albertg () cerebro violating us>
To: "Atul Shrivastava" <atulsh () hclinsys com>
Cc: <snort-users () lists sourceforge net>
Sent: Tuesday, December 31, 2002 5:24 PM
Subject: Re: [Snort-users] React & Resp keyword working


> Well, your saying that they *only* listen on the nw g/w. Well snort is 
> meant to run on the network g/w. Doesn't
> mean you can't have snort running on the internal interface of the gw 
> which the rest of the machines connect to
> (HUB scenario)? Hogwash and Snortsam can both do this.
>
> Cheers,
>     Alberto Gonzalez
>
>
> Atul Shrivastava wrote:
>
> > Dear Alberto,
> >  
> > Thx for this.
> >  
> > I go through the Snortsam and Hogwash, but they doesn't fullfill my 
> > requirement.
> > Actually for Hogwash, I have to put my snort box in a pass-through 
> > mode between the internal and external n/w and for Snortsam, it only 
> > modifies the rules for some firewall which is again at the gateway of 
> > the n/w.
> > Let say some internal guy is doing somethink ill-legal, then these two 
> > will not work.
> > Suppose I want that no porson in my internal network will not be able 
> > to do FTP within the network if the file contains some specified 
> > characters or say logging as "root".
> > So for it Snortsam and Hogwash will not be able to detect and take a 
> > action according to that. I want that as this guy initialte such 
> > things and when the Snort come to know about this then the connection 
> > is blocked automatically and a message is send to the user doing that.
> >
> > Merry Christmas and a fruitful new year .......
> > Regards and have a nice day,
> >                            Atul Shrivastava
> >                            Info Structure Services
> >                            HCL INFOSYSTEMS LTD.
> >                            E - 4,5,6 Sector XI,
> >                            Noida - 201301
> >                            Tel: 91-120-2526910,2443013
> >  
> > ------------------------------------------------------------------------
> > ----- Original Message -----
> > From: "Alberto Gonzalez" <albertg () cerebro violating us 
> > <mailto:albertg () cerebro violating us>>
> > To: "Atul Shrivastava" <atulsh () hclinsys com <mailto:atulsh () hclinsys com>>
> > Sent: Tuesday, December 31, 2002 1:44 PM
> > Subject: Re: [Snort-users] React & Resp keyword working
> >
> > > If you *haven't* compiled snort with flexresp, i think you can answer
> > > your own question if they will work.
> > > I suggest looking into snortsam for blocking of offending connections.
> > > That or Hogwash will do. You can
> > > use flexresp but I've seen people bork their networks cause of it. I've
> > > played with all three, and my choices
> > > will be hogwash and or snortsam for the job.
> > >
> > > Cheers,  
> > >     Alberto Gonzalez
> > >
> > > Atul Shrivastava wrote:
> > >
> > > > Hello,
> > > >
> > > > I am quiet keen to know about the keyword "RESP" & "REACT"
> > > > I am working on Snort for a long time and now I need to forcely block
> > > > the connections which are not legal. So for that I need to use these
> > > > two keywords. I have got enough knowledge about these two keywords 
> > but
> > > > before going for it, I would like to ask you that I have not compiled
> > > > my snort (./configure) with flexresp.
> > > > So I want to know that whether these rules will work on my machine or
> > > > not. Further you have told that some message be sent to the user fot
> > > > it but it will be available soon. I am using the snort verison 1.9.1.
> > > > Is these facility is available in this verison.
> > > > Please help me in this issue. Thanks in advance.
> > > >
> > > > Merry Christmas and a very happy new year ......
> > > > Regards and have a nice day,
> > > >                            Atul Shrivastava
> > > >                            Info Structure Services
> > > >                            HCL INFOSYSTEMS LTD.
> > > >                            E - 4,5,6 Sector XI,
> > > >                            Noida - 201301
> > > >                            Tel: 91-120-2526910,2443013
> > >
> > >
> > > --
> > > The secret to success is to start from scratch and keep on scratching.
>
>
> -- 
> The secret to success is to start from scratch and keep on scratching.