[Snort-users] Block packages

Carlos Illana sistemas at ...3361...
Fri Sep 7 00:07:03 EDT 2001


Hi all,

I'm a new snort user. I've finally installed and configured snort version 
1.8.1.
I'm alerted now form packages that match the expresions of the rules, but 
I'm really tired of red code attacks in my web server log and I want to 
block all these IP packages.

I have the following rule:
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS552/web-iis_IIS ISAPI 
Overflow ida";dsize:>239;flags:A+;content:".ida?")

It alert me from the attack, but it doesn't block the package.

I have tried:

alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS552/web-iis_IIS ISAPI 
Overflow ida";dsize:>239;flags:A+;content:".ida?";react: block, msg;)

But snort complains about react is not a recognized keyword, in spite of 
what is in the manual 
(http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24).

Do I have to use Guardian or something similar???? Can I simple reject 
all packages that match the rules or snort is sniffing packages in 
parallel with the package routing???

Thanx in advance,

Carlos




More information about the Snort-users mailing list