Snort mailing list archives

Snort react should return HTTP 302 instead of HTTP 403

From: Rishabh Shah <rishabh420 () gmail com>
Date: Thu, 26 Feb 2015 12:37:01 +0530

Hi Snort Team,

Is it possible that Snort can return a HTTP 302 page instead of HTTP 403
forbidden when react is configured in the configuration file?

I have defined "config react: /var/www/html/block.html" in my configuration
file and my traffic hits the following rule:
reject tcp any any -> any any (msg:"Illegal access"; appid: facebook; sid:
1020120; rev: 1; react: msg;)

On my windows client, I receive an HTTP 403 forbidden after sending a
facebook request as shown in the packet capture below:

GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.facebook.com
Connection: Keep-Alive
Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l


*HTTP/1.1 403 Forbidden*
*Connection: close*
*Content-Type: text/html; charset=utf-8*
*Content-Length: 99*


*<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p>
</body> </html>*

<^Content of block.html>

But I want Snort to return HTTP 302 instead of HTTP 403, as the above
message doesn't get displayed in the browser when the response is HTTP 403.

I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c"
(replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved Temporarily*\r\n
)and did a make/make install to update the sp.react.o (object file). But I
am still receiving HTTP 403.

Kindly let me know if I am missing anything. Thank You!

Regards,
Rishabh Shah.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Feb 25)
- Re: Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Mar 02)
- Re: Snort react should return HTTP 302 instead of HTTP 403 Russ (Mar 02)
  - Re: Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Mar 03)