[Snort-users] blocking packets with snort 1.7

Robert Grabowsky robertg at ...970...
Fri Jan 26 09:32:56 EST 2001


I would like to deny the downloading of a massive file from a web server
on my network.  I have tried the following rule without success.  In fact,
when I add the "resp: rst_all;" rule option snort will not even start
up.  It's my understanding that this option will send TCP_RST packets in
both directions.

alert tcp $EXTERNAL_NET any -> a.b.c.d 80 (msg:"Massive file
download";flags:PA; content:".exe"; nocase; resp: rst_all;) 

Any help would be truely appreciated.

Bob





More information about the Snort-users mailing list