[Snort-users] Snort react should return HTTP 302 instead of HTTP 403
rucombs at ...589...
Mon Mar 2 08:57:07 EST 2015
Two comments below ...
On 2/26/15 2:07 AM, Rishabh Shah wrote:
> Hi Snort Team,
> Is it possible that Snort can return a HTTP 302 page instead of HTTP
> 403 forbidden when react is configured in the configuration file?
Yes. The configured must be the actual HTTP response (headers and body)
and not just the page content you want to see. If you are still having
trouble, please send tcpdump style output of response packet.
> I have defined "config react: /var/www/html/block.html" in my
> configuration file and my traffic hits the following rule:
> reject tcp any any -> any any (msg:"Illegal access"; appid: facebook;
> sid: 1020120; rev: 1; react: msg;)
> On my windows client, I receive an HTTP 403 forbidden after sending a
> facebook request as shown in the packet capture below:
> GET / HTTP/1.1
> Accept: application/x-ms-application, image/jpeg,
> application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
> Accept-Language: en-US
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
> 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
> Accept-Encoding: gzip, deflate
> Host: www.facebook.com <http://www.facebook.com>
> Connection: Keep-Alive
> Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l
> *HTTP/1.1 403 Forbidden*
> *Connection: close*
> *Content-Type: text/html; charset=utf-8*
> *Content-Length: 99*
> *<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My
> paragraph.</p> </body> </html>
> <^Content of block.html>
> But I want Snort to return HTTP 302 instead of HTTP 403, as the above
> message doesn't get displayed in the browser when the response is HTTP
> I tried modifying "snort-126.96.36.199/src/detection-plugins/sp_react.c"
> (replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved
> Temporarily*\r\n )and did a make/make install to update the sp.react.o
> (object file). But I am still receiving HTTP 403.
You should not need to change the code. Since you didn't get any
different ouptut, are you sure you are running the correct binary?
> Kindly let me know if I am missing anything. Thank You!
> Rishabh Shah.
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users