[Snort-users] i can't block sites with Snort [ OT - a less su cky way to do this ]
SMoyer at ...5894...
Thu Aug 1 10:46:30 EDT 2002
Totally outside of Snort anyway, but for what you're doing (blocking a list
of inappropriate websites), you'd be a lot better of with Squid
(http://www.squid-cache.org) via transproxy and DansGuardian
Personally, I don't do anything with automated responses and IDS's. I see
them as data-gathering tools with a very looong way to go before we'll
really see any of that "Adaptive Network Security" we keep hearing about. I
do kill a couple common URI's at my firewalls (cmd.exe, root.exe, etc.), but
that's about it.
> -----Original Message-----
> From: Skip Carter [mailto:skip at ...1552...]
> Sent: Thursday, August 01, 2002 12:01
> To: funky
> Cc: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] i can't block sites with Snort
> > I wrote a rule like below:
> > alert tcp $HOME_NET any -> any 80
> > ( content-list:"game.txt"; msg:"Interdit!!!";
> > react:block;msg;)
> > Like that when i run snort, it didn't block the sites,
> > that contains the words i mentioned in the "game.txt"
> > file.
> > I tried to apply "pass" in place of "alert" , but it
> > didn'r worked neither.
> > Any idea?!??!
> I have never had any luck with 'react' working (on
> OpenBSD) but 'resp' does
> to work.
> In any case, the problem you are having is probably due
> to the fact that most
> connections only involve one or two packets and snort
> is not reponding
> before the connection
> closes anyway. Snort is responding to that
> particular connection, it
> is not
> acting like a firewall which inspects the packets
> before deciding its
> safe to forward them on.
> Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
> Taygeta Scientific Inc. INTERNET: skip at ...1552...
> 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
> Monterey, CA. 93940
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users