snort daqs capabilities

[Mark Greenman <mark.greenman.014 () gmail com>]

Hi. I am new to snort and I am confused about some actions performed
by some daqs.
I am trying to use react rule option to block some applications (using
appid rule option) and send another web page instead.

Three scenarios where examined:
1- snort using pcap daq when listening on the interface connected to
the server network,
2- snort using pcap daq when listening on the interface connected to
the client network,
3- snort using nfq daq for extracting packets from a user space queue.

when pcap on the client side interface is used, the connection is
destroyed successfully and the webpage is sent to the client. How is
it possible for pcap to drop packets if it is not in inline mode? or,
is pcap running in inline mode?
when pcap on the server side interface is used, the connection is
destroyed again but no webpage is sent to the client? What do you
think is the reason for that?
Finally, when nfq is used, again the connection is destroyed (which is
normal) but the page is not sent to the client. What is the reason for
this one?

Thank you very much
Mark.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!