[Snort-users] what is the difference between these rules!??!?!
mkettler at ...4108...
Sat Aug 3 13:28:03 EDT 2002
How are you physically configured? Is the network traffic in question
running *through* your snort box (ie: the machine running snort acts as a
router with 2 network cards), or alongside it? Hogwash will only work if
your snort box is an in-line router, and will not work as a
single-interface side-monitor connected via a hub or ethernet tap.
Hogwash will only work if configured like this:
internet ---- snort_hogwash_machine --- protected machine
it will not work like this:
internet ------ hub/tap ------ "protected" machine (not really protected)
The second setup works for normal snorting, but does not work for
hogwashing since the snort machine can only see the packets in question, it
can't block them since it's not "in line". If the second case is your only
possible configuration, your best bet is flexresp, but that works by
spoofing reset packets and does not work 100% reliably.
At 10:42 AM 8/3/2002 -0700, funky wrote:
>I'm trying to block some sites using the hogwash patch
>I tried the rule below like the porn.rules:
>drop tcp $EXTERNAL_NET 80 -> $HOME_NET any /
>(msg:"Game site in not
>Tyring to enter a web-site froma client, for exemple
>www.tavla.com, i can enter that, why!?!??!?!
>i have to modify the rule like below in order to block
>drop tcp any any <> any any /
>(msg:"Game site is not allowed!!"; content:"tavla";)
>Now i'M not allowed to enter the sites.
>So do i have to modify the rules like that which i
>wanna apply the "drop" option!??!??!
>Anyone can help me in that case please?!?!?
More information about the Snort-users