Re: snort 2.8.5.3 with react keyword not sending msg to browser

[Joel Esler <jesler () sourcefire com>]

/** please make sure you cc the snort-users group **/

It looks like you have the field typed correctly, I am not sure why Snort
isn't accepting it.

Joel

On Tue, Apr 27, 2010 at 9:08 AM, RMS, Admin <Admin.RMS () apx fr> wrote:

>  Hello Joel,
>
>
>
> Thanks for your answer.
>
>
>
> Did you build Snort with --enable-react at ./configure time?
>
> è Yes, I did, and no error at ./configure, make, make install time
>
>
>
> Br,
>
> Alexandre
>
>
>
>
>
> *De :* Joel Esler [mailto:jesler () sourcefire com]
> *Envoyé :* mardi 27 avril 2010 14:52
> *À :* RMS, Admin
> *Cc :* snort-users () lists sourceforge net
> *Objet :* Re: [Snort-users] snort 2.8.5.3 with react keyword not sending
> msg to browser
>
>
>
> Did you build Snort with --enable-react at ./configure time?
>
>
>
> Joel
>
>
>
> On Apr 27, 2010, at 7:26 AM, RMS, Admin wrote:
>
>
>
>   Hello,
>
> I’m using snort 2.8.5.3 inline, and i try to set up a msg with the react
> keyword for users (ip) which trigger the following alert :
>
> alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
> msg:"Notforchildren!";sid:111000101;react:block, msg;)
>
> The alert is seen in the snort log, but not in the user’s browser.
> (I suppose that the content of the msg send to the browser is
> “Notforchildren!”)
>
> Then, I’v tried with
>
> alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
> msg:"Notforchildren!";sid:111000101;react:block, msg, proxy 8080;)
>
> I don’t understand the modifier "proxy". It is a local port which send the
> msg to user or is it the web proxy ?
>
> And the following error occurs when starting snort :
>
> ERROR: /etc/snort_inline/rules/local.rules(7): invalid react modifier:
> proxy 8080
>
> Question : How snort send message to browser ? Does it with any Os or
> browser (IE, Firefox…) ?
>
> Thanks in advance,
>
> Al.
>
>
>
>
>  ------------------------------
>
> Avant d'imprimer ce message, pensez à la protection de notre environnement.
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
>
> Joel Esler
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> - ---------------------------------------------------
> Scan Virus/ASpam par MessageLabs pour APX
> Pv.
> . ---------------------------------------------------



-- 
Joel Esler

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users