Snort mailing list archives

Previous By Date Next
Previous By Thread Next

React Rule Trouble

From: Daniel Ayoub <daniel () ayoub it>
Date: Fri, 19 Sep 2014 12:12:30 -0700
Hi,

I'm having some trouble getting 'react' rules to work properly. Hoping
someone can offer guidance on how to get HTTP hijacking to function
properly. Trying to redirect to block page when specific URLs are attempted
to be accessed.  Not sure if issue is with the way my rule is formatted or
the way my configuration is set. Running snort as inline IPS on transparent
bridge; all rules are set to 'reject'.

Here's my install info...
Version 2.9.6.2 GRE (Build 77)
Using libpcap version 1.5.3
Using PCRE version: 8.35 2014-04-04
Using ZLIB version: 1.2.8

Snippet from config...
config react: ../../overlay/rules/block.html
config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=250

Snort is started with...
snort -c /etc/snort/snort.conf -i eth0:eth1 -Q -D

Here's the rule I'm testing ---
reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URL -
Pornography";flow: to_server,established;content:"playboy.com";classtype:
policy-violation;sid:9999; react: msg;)

The log correctly shows that the rule is triggered --
09/19-18:40:04.625305  [Drop] [**] [1:9999:0] BLACKLIST URL - Pornography
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 172.16.254.168:43847 -> 204.74.99.100:80

The page is correctly blocked and the incident is correctly logged however
there are 2 problems.

1. The redirect / react page I added (block.html) is not being displayed.
2. As soon as I test this rule, all other traffic also stops flowing
requiring me to kill and restart Snort. (Snort is still running according
to 'top' but no traffic is flowing).

If I comment out rule and 'react' line in config file then restart snort
everything works fine again and I can access the URL without issue.

Thanks,
Daniel

------------------------------------------------------------------------------
Slashdot TV.  Video for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: