[Snort-users] sp_pattern_match..

Maciek Szarpak M.Szarpak at ...137...
Mon Aug 14 18:17:47 EDT 2000


Fyodor wrote:
> 
>  New keyword support: content-list and new preprocessor sp_react
> by Maciek Szarpak <M.Szarpak at ...137...> were commited into sourcetree
> during few days. Testers are welcome. Any feedback is appreciated :)
> 

Hello,

I'd like to present the New Snort Rule Options:

     This text is an introduction to the new Snort keywords:

        * content-list
        * react

     The react option requires the libnet library and the
     flexible-response enabled. Have a nice snorting!


     Content-list

     The content-list keyword replaces the multiply usage of the content
     keyword. The content patterns, words or web sites addresses must be
     contained each on a single line of content-list file as shown in
     Figure 1. This option is the basis for the react keyword.


          # adult sites
          porn
          adults
          hard core
          www.pornsite.com
          # ...
                  Figure 1 - Content-list "adults" file example

     Format:

          content-list: "<file_name>";


     React

     The react keyword based on flexible response (Flex Resp) implements
     flexible reaction to traffic that matches a Snort rule. The basic
     reaction is blocking interesting sites users want to access: New
York
     Times, slashdot, or something really important - napster and porn
     sites. The Flex Resp code allows Snort to actively close offending
     connections and/or send a visible notice to the browser (warn
modifier
     available soon). The notice may include your own comment. The
     following arguments are valid for this option:

        * block - close connection and send the visible notice
        * msg - include the msg option text into the visible notice

     The following will be available soon:

        * warn - send the visible notice (warning)
        * proxy: <port_nr> - use the proxy port to send the visible
          notice

     Multiple arguments are separated by a comma.

     Format:

          react: <react_modifier[, react_modifier...]>;


              alert tcp any any <> 192.168.1.0/24 80 (content-list:
             "adults"; react: block, msg; msg: "Not for children!";)
             alert tcp any any <> 192.168.1.0/24 any (content-list:
                "adults"; react: block; msg: "Adults list access
                                   attempt";)
                         Figure 2 - React Usage Examples

 
------------------------------------------------------------------------
Maciej Szarpak, The Warsaw University of Technology
http://home.elka.pw.edu.pl/~mszarpak/snort/




More information about the Snort-users mailing list