[Snort-sigs] Anybody using the react keyword in 2.1?

David Gianndrea dgianndrea at ...163...
Tue Dec 30 13:06:01 EST 2003


Im playing with a rule that uses the react keyword.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN
www.bobblers.com"; content:"bobblers.com"; nocase;
flow:to_client,established; react: block, msg;)


It works, however the web client does not display the
message that is in sp_react.c. I did confirm that the
packet that contains message contained in sp_react.c
reaches the users workstation using Ethereal.

Maybe it is an html thing as both Netscape 7.1, and IE 6
don't display it. Netscape 7.1 does bring up a dialog
box that states " The document contains no data"

Any thoughts?

-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.






More information about the Snort-sigs mailing list