Re: snort 2.8.5.3 with react keyword not sending msg to browser

["RMS, Admin" <Admin.RMS () apx fr>]

Hello,

Thank you for your patch.

Actually my firefox show "the connection was reset" message when my pc is matching the react rule, but I can't see the 
message that's in my snort rule...

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (content:"GET"; \
flow: to_server,established;content:"yahoo.com"; \
msg:"Notforchildren!";sid:111000101;react:block, msg;)

thanks in advance

alexandre

De : Russ Combs [mailto:rcombs () sourcefire com]
Envoyé : mardi 27 avril 2010 15:51
À : Joel Esler
Cc : RMS, Admin; snort-users () lists sourceforge net
Objet : Re: [Snort-users] snort 2.8.5.3 with react keyword not sending msg to browser

There is a bug in sp_react.c.  The attached patch will fix it.  Apply with:

cd src
patch -p0 < react.diff

If you just want to use 8080 as the proxy port, you can omit the option altogether and skip the patch as that is the 
default.
On Tue, Apr 27, 2010 at 9:23 AM, Joel Esler <jesler () sourcefire com<mailto:jesler () sourcefire com>> wrote:
I don't know, I don't run Snort on Windows. I don't run the react keyword.  I was basically saying that your format is 
correct in your rule, maybe someone else can pipe in and give you an opinion as well.

Joel

On Tue, Apr 27, 2010 at 9:16 AM, RMS, Admin <Admin.RMS () apx fr<mailto:Admin.RMS () apx fr>> wrote:
Is it working on Windows as well as on Linux (idem for Mozilla and Internet Explorer) ?

What kind of message is supposed to appear on client Web browser (html, pop-up, ...) ?

Thanks,
Alexandre

De : Joel Esler [mailto:jesler () sourcefire com<mailto:jesler () sourcefire com>]
Envoyé : mardi 27 avril 2010 15:11
À : RMS, Admin
Cc : Snort Users

Objet : Re: [Snort-users] snort 2.8.5.3 with react keyword not sending msg to browser

/** please make sure you cc the snort-users group **/

It looks like you have the field typed correctly, I am not sure why Snort isn't accepting it.

Joel
On Tue, Apr 27, 2010 at 9:08 AM, RMS, Admin <Admin.RMS () apx fr<mailto:Admin.RMS () apx fr>> wrote:
Hello Joel,

Thanks for your answer.

Did you build Snort with --enable-react at ./configure time?

==> Yes, I did, and no error at ./configure, make, make install time

Br,
Alexandre


De : Joel Esler [mailto:jesler () sourcefire com<mailto:jesler () sourcefire com>]
Envoyé : mardi 27 avril 2010 14:52
À : RMS, Admin
Cc : snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Objet : Re: [Snort-users] snort 2.8.5.3 with react keyword not sending msg to browser

Did you build Snort with --enable-react at ./configure time?

Joel

On Apr 27, 2010, at 7:26 AM, RMS, Admin wrote:


Hello,

I'm using snort 2.8.5.3 inline, and i try to set up a msg with the react keyword for users (ip) which trigger the 
following alert :

alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
msg:"Notforchildren!";sid:111000101;react:block, msg;)

The alert is seen in the snort log, but not in the user's browser.
(I suppose that the content of the msg send to the browser is "Notforchildren!")

Then, I'v tried with

alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
msg:"Notforchildren!";sid:111000101;react:block, msg, proxy 8080;)

I don't understand the modifier "proxy". It is a local port which send the msg to user or is it the web proxy ?

And the following error occurs when starting snort :

ERROR: /etc/snort_inline/rules/local.rules(7): invalid react modifier: proxy 8080

Question : How snort send message to browser ? Does it with any Os or browser (IE, Firefox...) ?

Thanks in advance,

Al.


________________________________
Avant d'imprimer ce message, pensez à la protection de notre environnement.

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler







- ---------------------------------------------------
Scan Virus/ASpam par MessageLabs pour APX
Pv.
. ---------------------------------------------------



--
Joel Esler

- ---------------------------------------------------
Scan Virus/ASpam par MessageLabs pour APX
Pv.
. ---------------------------------------------------


--
Joel Esler

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- ---------------------------------------------------
Scan Virus/ASpam par MessageLabs pour APX
Pv.
. ---------------------------------------------------

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users