[Snort-users] snort 2.8.5.3 with react keyword not sending msg to browser

Russ Combs rcombs at ...1935...
Tue Apr 27 09:50:57 EDT 2010


There is a bug in sp_react.c.  The attached patch will fix it.  Apply with:

cd src
patch -p0 < react.diff

If you just want to use 8080 as the proxy port, you can omit the option
altogether and skip the patch as that is the default.

On Tue, Apr 27, 2010 at 9:23 AM, Joel Esler <jesler at ...1935...> wrote:

> I don't know, I don't run Snort on Windows. I don't run the react keyword.
>  I was basically saying that your format is correct in your rule, maybe
> someone else can pipe in and give you an opinion as well.
>
> Joel
>
>
> On Tue, Apr 27, 2010 at 9:16 AM, RMS, Admin <Admin.RMS at ...14841...> wrote:
>
>>  Is it working on Windows as well as on Linux (idem for Mozilla and
>> Internet Explorer) ?
>>
>>
>>
>> What kind of message is supposed to appear on client Web browser (html,
>> pop-up, …) ?
>>
>>
>>
>> Thanks,
>>
>> Alexandre
>>
>>
>>
>> *De :* Joel Esler [mailto:jesler at ...1935...]
>> *Envoyé :* mardi 27 avril 2010 15:11
>> *À :* RMS, Admin
>> *Cc :* Snort Users
>>
>> *Objet :* Re: [Snort-users] snort 2.8.5.3 with react keyword not sending
>> msg to browser
>>
>>
>>
>> /** please make sure you cc the snort-users group **/
>>
>>
>>
>> It looks like you have the field typed correctly, I am not sure why Snort
>> isn't accepting it.
>>
>>
>>
>> Joel
>>
>> On Tue, Apr 27, 2010 at 9:08 AM, RMS, Admin <Admin.RMS at ...14841...> wrote:
>>
>> Hello Joel,
>>
>>
>>
>> Thanks for your answer.
>>
>>
>>
>> Did you build Snort with --enable-react at ./configure time?
>>
>> è Yes, I did, and no error at ./configure, make, make install time
>>
>>
>>
>> Br,
>>
>> Alexandre
>>
>>
>>
>>
>>
>> *De :* Joel Esler [mailto:jesler at ...1935...]
>> *Envoyé :* mardi 27 avril 2010 14:52
>> *À :* RMS, Admin
>> *Cc :* snort-users at lists.sourceforge.net
>> *Objet :* Re: [Snort-users] snort 2.8.5.3 with react keyword not sending
>> msg to browser
>>
>>
>>
>> Did you build Snort with --enable-react at ./configure time?
>>
>>
>>
>> Joel
>>
>>
>>
>> On Apr 27, 2010, at 7:26 AM, RMS, Admin wrote:
>>
>>
>>
>> Hello,
>>
>> I’m using snort 2.8.5.3 inline, and i try to set up a msg with the react
>> keyword for users (ip) which trigger the following alert :
>>
>> alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
>> msg:"Notforchildren!";sid:111000101;react:block, msg;)
>>
>> The alert is seen in the snort log, but not in the user’s browser.
>> (I suppose that the content of the msg send to the browser is
>> “Notforchildren!”)
>>
>> Then, I’v tried with
>>
>> alert tcp any any <> $EXTERNAL_NET 80 (content:"GET"; \
>> msg:"Notforchildren!";sid:111000101;react:block, msg, proxy 8080;)
>>
>> I don’t understand the modifier "proxy". It is a local port which send the
>> msg to user or is it the web proxy ?
>>
>> And the following error occurs when starting snort :
>>
>> ERROR: /etc/snort_inline/rules/local.rules(7): invalid react modifier:
>> proxy 8080
>>
>> Question : How snort send message to browser ? Does it with any Os or
>> browser (IE, Firefox…) ?
>>
>> Thanks in advance,
>>
>> Al.
>>
>>
>>
>>
>>  ------------------------------
>>
>> Avant d'imprimer ce message, pensez à la protection de notre
>> environnement.
>>
>> ______________________________________________________________________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email
>> ______________________________________________________________________
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>> --
>>
>> Joel Esler
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> - ---------------------------------------------------
>> Scan Virus/ASpam par MessageLabs pour APX
>> Pv.
>> . ---------------------------------------------------
>>
>>
>>
>>
>> --
>> Joel Esler
>>
>>
>> - ---------------------------------------------------
>> Scan Virus/ASpam par MessageLabs pour APX
>> Pv.
>> . ---------------------------------------------------
>>
>
>
>
> --
> Joel Esler
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100427/928bb206/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: react.diff
Type: text/x-patch
Size: 696 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100427/928bb206/attachment.bin>


More information about the Snort-users mailing list