[Snort-users] Kill current session with Snort/Snortsam

Vincent Corriveau Vincent.Corriveau at ...6922...
Wed Sep 18 06:18:03 EDT 2002


I want to deny MSN Messenger access to my internal 
users. How I must do for stopping access to MSN Messenger to the 
user without blocking anything else (for exemple: HTTP, NNTP, Telnet)
for the same user.
I don't want to block external MSN servers for all users 
because I think they are used by hotmail.com.

I try the following rule but all (HTTP, NNTP...) is denied.

ruletype bloquer
 {
  type alert output
  output alert_fwsam: x.x.x.x/y
  output alert_full: /var/log/snort/alert_fwsam.txt
 }

bloquer tcp $HOME_NET any -> $EXTERNAL_NET 80 \
 ( \
  msg:"MSN Poll - HTTP"; \
  uricontent:"/gateway/gateway.dll?Action=poll"; offset:0; depth:90; \
  flags:PA; \
  fwsam: this, 60 seconds; \
  ) 

I use Snort 1.8.7 and Snortsam 1.13 plugin
Thanks !

Vincent C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020918/58e65d92/attachment.html>


More information about the Snort-users mailing list