[Snort-users] what is the difference between these rules!??!?!

Matt Kettler mkettler at ...4108...
Sat Aug 3 13:28:03 EDT 2002


How are you physically configured? Is the network traffic in question 
running *through* your snort box (ie: the machine running snort acts as a 
router with 2 network cards), or alongside it? Hogwash will only work if 
your snort box is an in-line router, and will not work as a 
single-interface side-monitor connected via a hub or ethernet tap.


Hogwash will only work if configured like this:

internet ---- snort_hogwash_machine ---  protected machine

it will not work like this:

internet ------ hub/tap ------ "protected" machine (not really protected)
                 |
          snort_hogwash_machine.

The second setup works for normal snorting, but does not work for 
hogwashing since the snort machine can only see the packets in question, it 
can't block them since it's not "in line". If the second case is your only 
possible configuration, your best bet is flexresp, but that works by 
spoofing reset packets and does not work 100% reliably.



At 10:42 AM 8/3/2002 -0700, funky wrote:

>Hi,
>
>I'm trying to block some sites using the hogwash patch
>for Snort.
>
>I tried the rule below like the porn.rules:
>
>drop tcp $EXTERNAL_NET 80 -> $HOME_NET any /
>(msg:"Game site in not
>allowed!!";content:"tavla";nocase;flags:A+)
>
>Tyring to enter a web-site froma client, for exemple
>www.tavla.com, i can enter that, why!?!??!?!
>i have to modify the rule like below in order to block
>the site:
>
>drop tcp any any <> any any /
>(msg:"Game site is not allowed!!"; content:"tavla";)
>
>Now i'M not allowed to enter the sites.
>So do i have to modify the rules like that which i
>wanna apply the "drop" option!??!??!
>
>Anyone can help me in that case please?!?!?
>
>thanx
>
>funky
>Istanbul





More information about the Snort-users mailing list