[Snort-users] Re: [Hogwash-devel] what is the difference between these rules!??!?!

allen aef at ...6539...
Mon Aug 5 19:57:19 EDT 2002


I think you may find your answer if you look at the
"direction" of your first rule here...

It says, "if you see 'tavala" coming FROM the EXTERNAL interface,
then drop the packet".

That is in the wrong "direction" if you are trying to stop
a request FROM the INTERNAL interface.

?

-AEF


On Sat, 2002-08-03 at 12:42, funky wrote:
> 
> Hi,
> 
> I'm trying to block some sites using the hogwash patch
> for Snort.
> 
> I tried the rule below like the porn.rules:
> 
> drop tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> (msg:"Game site in not
> allowed!!";content:"tavla";nocase;flags:A+)
> 
> Tyring to enter a web-site froma client, for exemple
> www.tavla.com, i can enter that, why!?!??!?!
> i have to modify the rule like below in order to block
> the site:
> 
> drop tcp any any <> any any /
> (msg:"Game site is not allowed!!"; content:"tavla";)
> 
> Now i'M not allowed to enter the sites.
> So do i have to modify the rules like that which i
> wanna apply the "drop" option!??!??!
> 
> Anyone can help me in that case please?!?!?
> 
> thanx
> 
> funky
> Istanbul
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Hogwash-devel mailing list
> Hogwash-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/hogwash-devel
> 






More information about the Snort-users mailing list