[Snort-users] Anybody using the react keyword in 2.1?

David Gianndrea dgianndrea at ...4357...
Wed Dec 31 05:16:00 EST 2003


Im playing with a rule that uses the react keyword.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN
www.bobblers.com"; content:"bobblers.com"; nocase;
flow:to_client,established; react: block, msg;)


It works, however the web client does not display the
message that is in sp_react.c. I did confirm that the
packet that contains message contained in sp_react.c
reaches the users workstation using Ethereal.

Maybe it is an html thing as both Netscape 7.1, and IE 6
don't display it. Netscape 7.1 does bring up a dialog
box that states " The document contains no data"

Any thoughts?

-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   dgianndrea at ...4357...
Web:     www.comsquared.com






More information about the Snort-users mailing list