[Snort-users] i can't block sites with Snort

Skip Carter skip at ...1552...
Thu Aug 1 10:04:18 EDT 2002


> I wrote a rule like below:
> 
> alert tcp $HOME_NET any -> any 80
> ( content-list:"game.txt"; msg:"Interdit!!!";
> react:block;msg;)
> 
> Like that when i run snort, it didn't block the sites,
> that contains the words i mentioned in the "game.txt"
> file. 
> 
> I tried to apply "pass" in place of "alert" , but it
> didn'r worked neither.
> 
> Any idea?!??!

	I have never had any luck with 'react' working (on OpenBSD) but 'resp' does 
appear
	to work.
 
	In any case, the problem you are having is probably due to the fact that most 
http
        connections only involve one or two packets and snort is not reponding 
before the connection
        closes anyway.  Snort is responding to that particular connection, it 
is not
        acting like a firewall which inspects the packets before deciding its 
safe to forward them on.





-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            















More information about the Snort-users mailing list