[Hogwash-devel] Re: [Snort-users] what is the difference between these rules!??!?!

allen aef at ...6539...
Mon Aug 5 19:57:25 EDT 2002


Well...

The solution you did below is okay, BUT...

Let's look at the problem a little more closely,
you may decide you want to do things a little
bit different...

PORN ...

The idea is:  "Do not allow browsers to get porn"

In order to get porn, a browser has to request porn.

By and large, mostly what I have seen is rules that
stop the browser from requesting porn, not stopping
the porn from coming in.

You can do this one of two ways or both...

1.  Block the DNS Lookup for the PORN Site

    drop udp $internal > $external <dns port> ( bad site data value(s) )

2.  Block the browser "GET http://www.badsite.com"
    

Again, you may wish to take a closer look at Squid and SquidGuard.

A Proxy can make it much EASIER to write rules that block Porn.

Hogwash is really better at blocking attack signatures and viri.

I'm SERIOUS.  SquidGuard is probably WHAT YOU WANT for the 
PORN problem.

That doesn't mean don't use Hogwash, just that you'd have to 
write LOTS OF RULES in Hogwash and you probably couldn't do
a perfect job of it.

Unless you knew the exact binary signature of each image that
has porn on it...  see.. that's what hogwash does... filters
exact based on content...  each individual content...

With SquidGuard you can write "expressions" like "Don't let the 
browser request anything that sounds like "xxx".

Just a few expressions like that can lock things down pretty well.

Hogwash has more difficulty in rule writing for THAT PURPOSE.

That is my impression of things.  Hogwash = Security Tool, not exactly
Anti-Porn Tool...  "Not 'best' suited for that purpose"

Additionally, SquidGuard already has a database of Porn sites to
block... 100,000+ entries...

Wanna write that many hogwash rules ?

-AEF



On Mon, 2002-08-05 at 02:29, funky wrote:
> 
> Hi,
> 
> I'm making the test at my home using ppp0 for external
> interface and eth0 for internal interface. It works at
> all:)
> 
> Can you explain my my the porn.rules ruleseare written
> as below:
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> > >(msg:"Game site in not
> > >allowed!!";content:"tavla";nocase;flags:A+)
> 
> this is only for making alerts and loggging?!?!
> If i wanna block a site, i.e. www.site.com , how can
> it be made?!? Is the solution below is good?? Or can
> you tell me a better rule!? :
> drop tcp any any <> any any /
> > >(msg:"Game site is not allowed!!";
> > content:"www.site.com";)
> 
> thanx
> 
> funky
> 
> 
> 
> --- Matt Kettler <mkettler at ...4108...> wrote:
> > How are you physically configured? Is the network
> > traffic in question 
> > running *through* your snort box (ie: the machine
> > running snort acts as a 
> > router with 2 network cards), or alongside it?
> > Hogwash will only work if 
> > your snort box is an in-line router, and will not
> > work as a 
> > single-interface side-monitor connected via a hub or
> > ethernet tap.
> > 
> > 
> > Hogwash will only work if configured like this:
> > 
> > internet ---- snort_hogwash_machine ---  protected
> > machine
> > 
> > it will not work like this:
> > 
> > internet ------ hub/tap ------ "protected" machine
> > (not really protected)
> >                  |
> >           snort_hogwash_machine.
> > 
> > The second setup works for normal snorting, but does
> > not work for 
> > hogwashing since the snort machine can only see the
> > packets in question, it 
> > can't block them since it's not "in line". If the
> > second case is your only 
> > possible configuration, your best bet is flexresp,
> > but that works by 
> > spoofing reset packets and does not work 100%
> > reliably.
> > 
> > 
> > 
> > At 10:42 AM 8/3/2002 -0700, funky wrote:
> > 
> > >Hi,
> > >
> > >I'm trying to block some sites using the hogwash
> > patch
> > >for Snort.
> > >
> > >I tried the rule below like the porn.rules:
> > >
> > >drop tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> > >(msg:"Game site in not
> > >allowed!!";content:"tavla";nocase;flags:A+)
> > >
> > >Tyring to enter a web-site froma client, for
> > exemple
> > >www.tavla.com, i can enter that, why!?!??!?!
> > >i have to modify the rule like below in order to
> > block
> > >the site:
> > >
> > >drop tcp any any <> any any /
> > >(msg:"Game site is not allowed!!";
> > content:"tavla";)
> > >
> > >Now i'M not allowed to enter the sites.
> > >So do i have to modify the rules like that which i
> > >wanna apply the "drop" option!??!??!
> > >
> > >Anyone can help me in that case please?!?!?
> > >
> > >thanx
> > >
> > >funky
> > >Istanbul
> > 
> > 
> > 
> >
> -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Hogwash-devel mailing list
> > Hogwash-devel at lists.sourceforge.net
> >
> https://lists.sourceforge.net/lists/listinfo/hogwash-devel
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Hogwash-devel mailing list
> Hogwash-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/hogwash-devel
> 






More information about the Snort-users mailing list