Snort mailing list archives

Re: Block packets using snort with pf_ring

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 29 Sep 2015 11:04:13 +0000

Is your sensor inline?

You can test to see if the rule will drop by running snort something like this:

./bin/snort -c etc/test.conf -Q --daq dump --daq-var load-mode=read-file -r etc/test.pcap -l. -H -U -k none -q

The daq will dump an inline-out.pcap that you can look at and see the reset packets in there.

I just tested this on a rule and it works.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Lavanya Kumar [mailto:lavanyakumar84 () gmail com]
Sent: Tuesday, September 29, 2015 1:17 AM
To: snort-users () lists sourceforge net; Al Lewis (allewi)
Subject: Fwd: [Snort-users] Block packets using snort with pf_ring



Thanks for your reply,
        i have changed my rule according to your suggestion,but it doesn't work.here is my rule.
drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook is Blocked" ; sid : 200001 ; rev : 1; resp: 
reset_both;)

my query is i would like to block some of the urls viz facebook,youtube,etc ..,within the network.I configured my 
server at router level and 1 client machines were connected to this server. Those machines should not allowed to access 
specified urls. I would like to achieve this using pf_ring without any packet loss.

09/28-14:23:45.058089  [Drop] [**] [1:200001:1] Facebook is Blocked [**] [Priority: 1]

i am getting this alert on the server machine but the client could access the website.

Previously, i could  achieve this using daq -nfq module.

Thanks,

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Block packets using snort with pf_ring Lavanya Kumar (Sep 27)
- Re: Block packets using snort with pf_ring Al Lewis (allewi) (Sep 28)
  - Message not available
    - Fwd: Block packets using snort with pf_ring Lavanya Kumar (Sep 28)
    - Re: Block packets using snort with pf_ring Al Lewis (allewi) (Sep 29)