[Snort-users] i can't block sites with Snort [ OT - a less su cky way to do this ]

Moyer, Shawn SMoyer at ...5894...
Thu Aug 1 10:46:30 EDT 2002


Totally outside of Snort anyway, but for what you're doing (blocking a list
of inappropriate websites), you'd be a lot better of with Squid
(http://www.squid-cache.org) via transproxy and DansGuardian
(http://www.dansguardian.org). 

Personally, I don't do anything with automated responses and IDS's. I see
them as data-gathering tools with a very looong way to go before we'll
really see any of that "Adaptive Network Security" we keep hearing about. I
do kill a couple common URI's at my firewalls (cmd.exe, root.exe, etc.), but
that's about it. 





--shawn


> -----Original Message-----
> From: Skip Carter [mailto:skip at ...1552...]
> Sent: Thursday, August 01, 2002 12:01
> To: funky
> Cc: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] i can't block sites with Snort 
> 
> 
> 
> > I wrote a rule like below:
> > 
> > alert tcp $HOME_NET any -> any 80
> > ( content-list:"game.txt"; msg:"Interdit!!!";
> > react:block;msg;)
> > 
> > Like that when i run snort, it didn't block the sites,
> > that contains the words i mentioned in the "game.txt"
> > file. 
> > 
> > I tried to apply "pass" in place of "alert" , but it
> > didn'r worked neither.
> > 
> > Any idea?!??!
> 
> 	I have never had any luck with 'react' working (on 
> OpenBSD) but 'resp' does 
> appear
> 	to work.
>  
> 	In any case, the problem you are having is probably due 
> to the fact that most 
> http
>         connections only involve one or two packets and snort 
> is not reponding 
> before the connection
>         closes anyway.  Snort is responding to that 
> particular connection, it 
> is not
>         acting like a firewall which inspects the packets 
> before deciding its 
> safe to forward them on.
> 
> 
> 
> 
> 
> -- 
>  Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
>  Taygeta Scientific Inc.        INTERNET: skip at ...1552...
>  1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
>  Monterey, CA. 93940            
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list