[Snort-users] i can't block sites with Snort
skip at ...1552...
Thu Aug 1 10:04:18 EDT 2002
> I wrote a rule like below:
> alert tcp $HOME_NET any -> any 80
> ( content-list:"game.txt"; msg:"Interdit!!!";
> Like that when i run snort, it didn't block the sites,
> that contains the words i mentioned in the "game.txt"
> I tried to apply "pass" in place of "alert" , but it
> didn'r worked neither.
> Any idea?!??!
I have never had any luck with 'react' working (on OpenBSD) but 'resp' does
In any case, the problem you are having is probably due to the fact that most
connections only involve one or two packets and snort is not reponding
before the connection
closes anyway. Snort is responding to that particular connection, it
acting like a firewall which inspects the packets before deciding its
safe to forward them on.
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip at ...1552...
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
More information about the Snort-users