[Snort-users] snort 2.8.5.3 with react keyword not sending msg to browser

Joel Esler jesler at ...1935...
Tue Apr 27 08:52:20 EDT 2010


Did you build Snort with --enable-react at ./configure time?

Joel

On Apr 27, 2010, at 7:26 AM, RMS, Admin wrote:

> Hello,
> 
> I’m using snort 2.8.5.3 inline, and i try to set up a msg with the react keyword for users (ip) which trigger the following alert :
> 
> alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
> msg:"Notforchildren!";sid:111000101;react:block, msg;)
> 
> The alert is seen in the snort log, but not in the user’s browser. 
> (I suppose that the content of the msg send to the browser is “Notforchildren!”)
> 
> Then, I’v tried with
> 
> alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
> msg:"Notforchildren!";sid:111000101;react:block, msg, proxy 8080;)
> 
> I don’t understand the modifier "proxy". It is a local port which send the msg to user or is it the web proxy ?
> 
> And the following error occurs when starting snort :
> 
> ERROR: /etc/snort_inline/rules/local.rules(7): invalid react modifier: proxy 8080
> 
> Question : How snort send message to browser ? Does it with any Os or browser (IE, Firefox…) ?
> 
> Thanks in advance,
> 
> Al.
> 
>  
> 
> Avant d'imprimer ce message, pensez à la protection de notre environnement.
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100427/183e10ec/attachment.html>


More information about the Snort-users mailing list