[Snort-users] Snort react should return HTTP 302 instead of HTTP 403
rishabh420 at ...11827...
Thu Feb 26 02:07:01 EST 2015
Hi Snort Team,
Is it possible that Snort can return a HTTP 302 page instead of HTTP 403
forbidden when react is configured in the configuration file?
I have defined "config react: /var/www/html/block.html" in my configuration
file and my traffic hits the following rule:
reject tcp any any -> any any (msg:"Illegal access"; appid: facebook; sid:
1020120; rev: 1; react: msg;)
On my windows client, I receive an HTTP 403 forbidden after sending a
facebook request as shown in the packet capture below:
GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
*HTTP/1.1 403 Forbidden*
*Content-Type: text/html; charset=utf-8*
*<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p>
<^Content of block.html>
But I want Snort to return HTTP 302 instead of HTTP 403, as the above
message doesn't get displayed in the browser when the response is HTTP 403.
I tried modifying "snort-184.108.40.206/src/detection-plugins/sp_react.c"
(replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved Temporarily*\r\n
)and did a make/make install to update the sp.react.o (object file). But I
am still receiving HTTP 403.
Kindly let me know if I am missing anything. Thank You!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users