[Snort-users] Snort react should return HTTP 302 instead of HTTP 403

Rishabh Shah rishabh420 at ...11827...
Thu Feb 26 02:07:01 EST 2015


Hi Snort Team,

Is it possible that Snort can return a HTTP 302 page instead of HTTP 403
forbidden when react is configured in the configuration file?

I have defined "config react: /var/www/html/block.html" in my configuration
file and my traffic hits the following rule:
reject tcp any any -> any any (msg:"Illegal access"; appid: facebook; sid:
1020120; rev: 1; react: msg;)

On my windows client, I receive an HTTP 403 forbidden after sending a
facebook request as shown in the packet capture below:

GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.facebook.com
Connection: Keep-Alive
Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l


*HTTP/1.1 403 Forbidden*
*Connection: close*
*Content-Type: text/html; charset=utf-8*
*Content-Length: 99*


*<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p>
</body> </html>*

<^Content of block.html>

But I want Snort to return HTTP 302 instead of HTTP 403, as the above
message doesn't get displayed in the browser when the response is HTTP 403.

I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c"
(replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved Temporarily*\r\n
)and did a make/make install to update the sp.react.o (object file). But I
am still receiving HTTP 403.

Kindly let me know if I am missing anything. Thank You!

Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150226/29d074fc/attachment.html>


More information about the Snort-users mailing list