[Snort-users] Snort rule Facebook Block

rmkml rmkml at ...1855...
Tue Feb 15 04:35:40 EST 2011


Hi Anvin,
If you run snort on IDS mode, you can't drop network trafic.
Your subject contains "Facebook Block" but your snort rules contains *youtube*...
Warn: maybe Facebook are on https chanel...
Regards
Rmkml


On Tue, 15 Feb 2011, anvin igcar wrote:

> I want to block the INTERNAL NETWORK from viewing anything on www.youtube.com website.
> I've configured snort in the IDS mode.
> and I execute it this way
> [root at ...15114... ~]# snort -dQ -c /etc/snort/snort.conf -l /var/log/snort -A console --daq dump
> 1) pass tcp any any -> any any (content:"www.youtube.com"; msg:"You are BLOCKED...."; sid:9991111; rev:1;)
> 2) drop tcp any any -> any any (content:"www.youtube.com"; msg:"You are BLOCKED...."; sid:9991112; rev:1;)
> These rules are not blocking me from visiting the www.youtube.com website.




More information about the Snort-users mailing list