[Snort-users] Snort rule Facebook Block

Russ Combs rcombs at ...1935...
Tue Feb 15 15:15:56 EST 2011


On Tue, Feb 15, 2011 at 9:16 AM, Jason Wallace <jason.r.wallace at ...11827...>wrote:

> Also, another thing you might want to look at is the content replace
> options. Replace www.youtube.com GET requests with some internal web
> server address then on the web server rewrite all get requests to a
> web page that actually says "You Have Been Blocked". Definitely more
> fun than boring old drop rules. :)
>

The "react" rule option is another way to try that.

>
> Wally
>
> On Tue, Feb 15, 2011 at 6:53 AM, Russ Combs <rcombs at ...1935...> wrote:
> > On Tue, Feb 15, 2011 at 4:35 AM, rmkml <rmkml at ...1855...> wrote:
> >> Hi Anvin,
> >> If you run snort on IDS mode, you can't drop network trafic.
> >> Your subject contains "Facebook Block" but your snort rules contains
> *youtube*...
> >> Warn: maybe Facebook are on https chanel...
> >> Regards
> >> Rmkml
> >>
> >>
> >> On Tue, 15 Feb 2011, anvin igcar wrote:
> >>
> >>> I want to block the INTERNAL NETWORK from viewing anything on
> www.youtube.com website.
> >>> I've configured snort in the IDS mode.
> >>> and I execute it this way
> >>> [root at ...15114... ~]# snort -dQ -c /etc/snort/snort.conf -l /var/log/snort
> -A console --daq dump
> >
> > The dump daq is for testing; it won't actually put you inline.  If you
> > get your rules fixed you should see that blocked packets/sessions are
> > not written to inline-out.pcap.  If you want to block traffic for
> > real, you need an inline capable daq.  Check the daq distro README.
> >
> >>> 1) pass tcp any any -> any any (content:"www.youtube.com"; msg:"You
> are BLOCKED...."; sid:9991111; rev:1;)
> >>> 2) drop tcp any any -> any any (content:"www.youtube.com"; msg:"You
> are BLOCKED...."; sid:9991112; rev:1;)
> >>> These rules are not blocking me from visiting the www.youtube.comwebsite.
> >>
> >>
> ------------------------------------------------------------------------------
> >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio
> XE:
> >> Pinpoint memory and threading errors before they happen.
> >> Find and fix more than 250 security defects in the development cycle.
> >> Locate bottlenecks in serial and parallel code that limit performance.
> >> http://p.sf.net/sfu/intel-dev2devfeb
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> >
> ------------------------------------------------------------------------------
> > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> > Pinpoint memory and threading errors before they happen.
> > Find and fix more than 250 security defects in the development cycle.
> > Locate bottlenecks in serial and parallel code that limit performance.
> > http://p.sf.net/sfu/intel-dev2devfeb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110215/a8de9b9c/attachment.html>


More information about the Snort-users mailing list