Snort mailing list archives

Re: help - React keyword use to display message on web browser

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 29 Mar 2016 10:32:57 +0000

If you are getting the page in the inline.out when using --daq dump and not on your network there maybe something wrong 
with your setup/configuration.

You may want to focus on getting an alert first if your rule doesn’t work. Output to the console first then try writing 
to the logs, then to csv etc..

If you can, please provide a sample pcap/conf that doesn’t work.

Thanks.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Amul Patel [mailto:amulpatel.biz () gmail com]
Sent: Tuesday, March 29, 2016 2:33 AM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] help - React keyword use to display message on web browser

Hi Albert,

I tried with inline mode but do not get success and never see react response in tcpdump.

Even I used given TEST.conf and update with my single rule.

If you have set up then can you please check once in inline mode and block any content in rule as i did given rule.
In this case does you get react response?

rule for the reference : drop tcp any any -> any any (msg: "GET Packet is not 
allowed";content:"GET";nocase;sid:1;react:msg;)

if use flow keyword with established as below then even rule does not hit.
I have configure csv out put to check rule hits or not where i can see logs.

alert tcp any any -> any any (msg:"PATEL";flow:to_server,,established;content:"GET";nocase;react: msg;sid:1; )

It seems rule need to be changed as GET packet does not appear in tcp dump if we block GET content.

Thanks,
Amul Patel



On Mon, Mar 28, 2016 at 5:59 PM, Amul Patel <amulpatel.biz () gmail com<mailto:amulpatel.biz () gmail com>> wrote:
Thanks a lot Albert for providing samples to understand.

I used the given files & executed in my system and I can see the HTML response in inline-out.pcap successfully.

Now i am trying to debug with my conf file with NFQ. I will keep update you on the same.

PS :

I was using correct rule but by mistake i paste the rule which has comma. Thansk for informing.

I am using following correct rule only.
drop tcp any any -> any any (msg: "GET Packet is not 
allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879;react:msg)

On Mon, Mar 28, 2016 at 4:20 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Sure.

Inline-out.pcap is attached as well as the example I used to get the page to generate.

I ran it with:

./bin/snort -c etc/TEST.conf -Q --daq dump --daq-var load-mode=read-file -r etc/TEST.pcap -l. -k none -q


Try this and see if you can get the page to generate.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Amul Patel [mailto:amulpatel.biz () gmail com<mailto:amulpatel.biz () gmail com>]
Sent: Monday, March 28, 2016 3:32 AM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] help - React keyword use to display message on web browser

Thanks Albert quick update,

I am using NFQ as data packet source & already check parallel  tcpdump command on given interface and generated .pcap 
file.

I opened pcap in wire-shark tool but I did not see any packet related to message on pcap file.
It seems snort is not sending message.

Do you have any sample pcap file which show the message is sent by snort for the reference ?

Thanks ,
Amul Patel



On Fri, Mar 25, 2016 at 6:04 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Hello,

Try running snort with “--daq dump --daq-var load-mode=read-file -Q” so it will dump a file “inline-out.pcap”.

You can check that file to see if the page is being sent. That should tell you if there is something wrong with the 
config or network related.



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Amul Patel [mailto:amulpatel.biz () gmail com<mailto:amulpatel.biz () gmail com>]
Sent: Friday, March 25, 2016 5:59 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] help - React keyword use to display message on web browser

Hello Team,

I need help to use of react keyword to display message (default or user defined) to web browser.

I am using snort version 2.9.8.0 in linux machine.

I have enabled required command option during configuration as mentioned below:

./configure  --enable-active-response --enable-react --enable-flexresp3 \

I am executing snort as inline mode -

/usr/bin/snort -Q -k  none  -v -dev -c /etc/snort/snort.conf

following the rule i am using

drop tcp any any -> any any (msg: "GET Packet is not 
allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879;react,msg)

It is blocking & logging the message in csv log file but does not send default message or rule message to browser.
Just a "connection reset" message is displayed at web browser.

Even I tried lot of different options with different rule, changed sid, no msg keyword with react, snort in tap mode 
etc but does not work any option.

I checked react.c file where default HTTP & HTML page is declared .. tried to understand code as well to see if any bug 
there..

Can any one help me out to display message on web browser ?
Does any firewall rule is also needed or any other setting apart from snort ?


Thanks in Advanced,
Regards,
Amul Patel



--



Thanks & Regards,
Amul Patel
07875648886



--



Thanks & Regards,
Amul Patel
07875648886



--



Thanks & Regards,
Amul Patel
07875648886

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

help - React keyword use to display message on web browser Amul Patel (Mar 25)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 25)
  - Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
    - Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
    - Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 29)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 30)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 29)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
    - Re: help - React keyword use to display message on web browser wkitty42 (Mar 31)
    - Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)