[Hogwash-devel] Re: [Snort-users] what is the difference between these rules!??!?!

funky azimlinux at ...131...
Mon Aug 5 00:30:03 EDT 2002


Hi,

I'm making the test at my home using ppp0 for external
interface and eth0 for internal interface. It works at
all:)

Can you explain my my the porn.rules ruleseare written
as below:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> >(msg:"Game site in not
> >allowed!!";content:"tavla";nocase;flags:A+)

this is only for making alerts and loggging?!?!
If i wanna block a site, i.e. www.site.com , how can
it be made?!? Is the solution below is good?? Or can
you tell me a better rule!? :
drop tcp any any <> any any /
> >(msg:"Game site is not allowed!!";
> content:"www.site.com";)

thanx

funky



--- Matt Kettler <mkettler at ...4108...> wrote:
> How are you physically configured? Is the network
> traffic in question 
> running *through* your snort box (ie: the machine
> running snort acts as a 
> router with 2 network cards), or alongside it?
> Hogwash will only work if 
> your snort box is an in-line router, and will not
> work as a 
> single-interface side-monitor connected via a hub or
> ethernet tap.
> 
> 
> Hogwash will only work if configured like this:
> 
> internet ---- snort_hogwash_machine ---  protected
> machine
> 
> it will not work like this:
> 
> internet ------ hub/tap ------ "protected" machine
> (not really protected)
>                  |
>           snort_hogwash_machine.
> 
> The second setup works for normal snorting, but does
> not work for 
> hogwashing since the snort machine can only see the
> packets in question, it 
> can't block them since it's not "in line". If the
> second case is your only 
> possible configuration, your best bet is flexresp,
> but that works by 
> spoofing reset packets and does not work 100%
> reliably.
> 
> 
> 
> At 10:42 AM 8/3/2002 -0700, funky wrote:
> 
> >Hi,
> >
> >I'm trying to block some sites using the hogwash
> patch
> >for Snort.
> >
> >I tried the rule below like the porn.rules:
> >
> >drop tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> >(msg:"Game site in not
> >allowed!!";content:"tavla";nocase;flags:A+)
> >
> >Tyring to enter a web-site froma client, for
> exemple
> >www.tavla.com, i can enter that, why!?!??!?!
> >i have to modify the rule like below in order to
> block
> >the site:
> >
> >drop tcp any any <> any any /
> >(msg:"Game site is not allowed!!";
> content:"tavla";)
> >
> >Now i'M not allowed to enter the sites.
> >So do i have to modify the rules like that which i
> >wanna apply the "drop" option!??!??!
> >
> >Anyone can help me in that case please?!?!?
> >
> >thanx
> >
> >funky
> >Istanbul
> 
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Hogwash-devel mailing list
> Hogwash-devel at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/hogwash-devel


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-users mailing list