[Snort-users] Kill current session with Snort/Snortsam

Vincent Corriveau Vincent.Corriveau at ...6922...
Mon Sep 16 19:13:03 EDT 2002

I want to deny MSN Messenger access to my internal 
users. How I must do for stopping access to MSN Messenger to the 
without blocking anything else (for exemple: HTTP, NNTP, Telnet) for the 
same user.
I don't want to block external MSN servers for all users 
because I think they are used
by hotmail.com. I try the following rule but all (HTTP, NNTP...) is 
denied. ruletype bloquer
  type alert 
  output alert_fwsam: x.x.x.x/y
  output alert_full: 
 } bloquer tcp $HOME_NET any -> $EXTERNAL_NET 80 
 ( \
  msg:"MSN Poll - HTTP"; \
uricontent:"/gateway/gateway.dll?Action=poll"; offset:0; depth:90; \
flags:PA; \
  fwsam: this, 60 seconds; \

I use Snort 1.8.7 and Snortsam 1.13 plugin
Thanks !
Vincent C

More information about the Snort-users mailing list