[Snort-users] Snort react should return HTTP 302 instead of HTTP 403

Rishabh Shah rishabh420 at ...11827...
Mon Mar 2 08:33:09 EST 2015


Hi Team,

Did anyone have a chance to look in to this?
Thanks!

On Thu, Feb 26, 2015 at 12:37 PM, Rishabh Shah <rishabh420 at ...11827...> wrote:

> Hi Snort Team,
>
> Is it possible that Snort can return a HTTP 302 page instead of HTTP 403
> forbidden when react is configured in the configuration file?
>
> I have defined "config react: /var/www/html/block.html" in my
> configuration file and my traffic hits the following rule:
> reject tcp any any -> any any (msg:"Illegal access"; appid: facebook; sid:
> 1020120; rev: 1; react: msg;)
>
> On my windows client, I receive an HTTP 403 forbidden after sending a
> facebook request as shown in the packet capture below:
>
> GET / HTTP/1.1
> Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
> image/gif, image/pjpeg, application/x-ms-xbap, */*
> Accept-Language: en-US
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
> 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
> Accept-Encoding: gzip, deflate
> Host: www.facebook.com
> Connection: Keep-Alive
> Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l
>
>
> *HTTP/1.1 403 Forbidden*
> *Connection: close*
> *Content-Type: text/html; charset=utf-8*
> *Content-Length: 99*
>
>
> *<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p>
> </body> </html>*
>
> <^Content of block.html>
>
> But I want Snort to return HTTP 302 instead of HTTP 403, as the above
> message doesn't get displayed in the browser when the response is HTTP 403.
>
> I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c"
> (replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved
> Temporarily*\r\n )and did a make/make install to update the sp.react.o
> (object file). But I am still receiving HTTP 403.
>
> Kindly let me know if I am missing anything. Thank You!
>
> Regards,
> Rishabh Shah.
>



-- 
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150302/352ab09a/attachment.html>


More information about the Snort-users mailing list