[Snort-users] Snort rule Facebook Block

Russ Combs rcombs at ...1935...
Tue Feb 15 06:53:20 EST 2011

On Tue, Feb 15, 2011 at 4:35 AM, rmkml <rmkml at ...1855...> wrote:
> Hi Anvin,
> If you run snort on IDS mode, you can't drop network trafic.
> Your subject contains "Facebook Block" but your snort rules contains *youtube*...
> Warn: maybe Facebook are on https chanel...
> Regards
> Rmkml
> On Tue, 15 Feb 2011, anvin igcar wrote:
>> I want to block the INTERNAL NETWORK from viewing anything on www.youtube.com website.
>> I've configured snort in the IDS mode.
>> and I execute it this way
>> [root at ...15114... ~]# snort -dQ -c /etc/snort/snort.conf -l /var/log/snort -A console --daq dump

The dump daq is for testing; it won't actually put you inline.  If you
get your rules fixed you should see that blocked packets/sessions are
not written to inline-out.pcap.  If you want to block traffic for
real, you need an inline capable daq.  Check the daq distro README.

>> 1) pass tcp any any -> any any (content:"www.youtube.com"; msg:"You are BLOCKED...."; sid:9991111; rev:1;)
>> 2) drop tcp any any -> any any (content:"www.youtube.com"; msg:"You are BLOCKED...."; sid:9991112; rev:1;)
>> These rules are not blocking me from visiting the www.youtube.com website.
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list