[Snort-users] sp_pattern_match..

Maciek Szarpak M.Szarpak at ...137...
Mon Aug 14 18:17:47 EDT 2000

Fyodor wrote:
>  New keyword support: content-list and new preprocessor sp_react
> by Maciek Szarpak <M.Szarpak at ...137...> were commited into sourcetree
> during few days. Testers are welcome. Any feedback is appreciated :)


I'd like to present the New Snort Rule Options:

     This text is an introduction to the new Snort keywords:

        * content-list
        * react

     The react option requires the libnet library and the
     flexible-response enabled. Have a nice snorting!


     The content-list keyword replaces the multiply usage of the content
     keyword. The content patterns, words or web sites addresses must be
     contained each on a single line of content-list file as shown in
     Figure 1. This option is the basis for the react keyword.

          # adult sites
          hard core
          # ...
                  Figure 1 - Content-list "adults" file example


          content-list: "<file_name>";


     The react keyword based on flexible response (Flex Resp) implements
     flexible reaction to traffic that matches a Snort rule. The basic
     reaction is blocking interesting sites users want to access: New
     Times, slashdot, or something really important - napster and porn
     sites. The Flex Resp code allows Snort to actively close offending
     connections and/or send a visible notice to the browser (warn
     available soon). The notice may include your own comment. The
     following arguments are valid for this option:

        * block - close connection and send the visible notice
        * msg - include the msg option text into the visible notice

     The following will be available soon:

        * warn - send the visible notice (warning)
        * proxy: <port_nr> - use the proxy port to send the visible

     Multiple arguments are separated by a comma.


          react: <react_modifier[, react_modifier...]>;

              alert tcp any any <> 80 (content-list:
             "adults"; react: block, msg; msg: "Not for children!";)
             alert tcp any any <> any (content-list:
                "adults"; react: block; msg: "Adults list access
                         Figure 2 - React Usage Examples

Maciej Szarpak, The Warsaw University of Technology

More information about the Snort-users mailing list