[Snort-users] Kill current session with Snort/Snortsam

Vincent Corriveau Vincent.Corriveau at ...6922...
Mon Sep 16 19:13:03 EDT 2002


I want to deny MSN Messenger access to my internal 
users. How I must do for stopping access to MSN Messenger to the 
user
without blocking anything else (for exemple: HTTP, NNTP, Telnet) for the 
same user.
I don't want to block external MSN servers for all users 
because I think they are used
by hotmail.com. I try the following rule but all (HTTP, NNTP...) is 
denied. ruletype bloquer
 {
  type alert 
output
  output alert_fwsam: x.x.x.x/y
  output alert_full: 
/var/log/snort/alert_fwsam.txt
 } bloquer tcp $HOME_NET any -> $EXTERNAL_NET 80 
\
 ( \
  msg:"MSN Poll - HTTP"; \
  
uricontent:"/gateway/gateway.dll?Action=poll"; offset:0; depth:90; \
  
flags:PA; \
  fwsam: this, 60 seconds; \
  ) 

I use Snort 1.8.7 and Snortsam 1.13 plugin
Thanks !
Vincent C




More information about the Snort-users mailing list