[Snort-users] Snort react should return HTTP 302 instead of HTTP 403

Rishabh Shah rishabh420 at ...11827...
Tue Mar 3 10:13:03 EST 2015


Hi Russ,

It started working after creating the following html file. Thanks for your
help.

<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>Error 403 Permission denied</title>
<style>
<!--
        body {font-family: arial,sans-serif}
        img { border:none; }
//-->
</style>
</head>
<body>
<blockquote>
        <h2>Error 403 Permission denied</h2>
        <p>You do not have permission to retrieve the URL or link you
requested</p>
           Please inform the administrato of the referring page, if you
think this was a mistake.
</blockquote>
</body>
</html>



On Mon, Mar 2, 2015 at 7:27 PM, Russ <rucombs at ...589...> wrote:

>  Two comments below ...
>
> On 2/26/15 2:07 AM, Rishabh Shah wrote:
>
> Hi Snort Team,
>
>  Is it possible that Snort can return a HTTP 302 page instead of HTTP 403
> forbidden when react is configured in the configuration file?
>
> Yes.  The configured must be the actual HTTP response (headers and body)
> and not just the page content you want to see.  If you are still having
> trouble, please send tcpdump style output of response packet.
>
>
>  I have defined "config react: /var/www/html/block.html" in my
> configuration file and my traffic hits the following rule:
>  reject tcp any any -> any any (msg:"Illegal access"; appid: facebook;
> sid: 1020120; rev: 1; react: msg;)
>
>  On my windows client, I receive an HTTP 403 forbidden after sending a
> facebook request as shown in the packet capture below:
>
>  GET / HTTP/1.1
> Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
> image/gif, image/pjpeg, application/x-ms-xbap, */*
>  Accept-Language: en-US
>  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
> 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
>  Accept-Encoding: gzip, deflate
>  Host: www.facebook.com
>  Connection: Keep-Alive
>  Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l
>
>
>  *HTTP/1.1 403 Forbidden*
> *Connection: close*
> *Content-Type: text/html; charset=utf-8*
> *Content-Length: 99*
>
>
> *<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p>
> </body> </html> *
>
>  <^Content of block.html>
>
>  But I want Snort to return HTTP 302 instead of HTTP 403, as the above
> message doesn't get displayed in the browser when the response is HTTP 403.
>
>  I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c"
> (replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved
> Temporarily*\r\n )and did a make/make install to update the sp.react.o
> (object file). But I am still receiving HTTP 403.
>
> You should not need to change the code.  Since you didn't get any
> different ouptut, are you sure you are running the correct binary?
>
>
>  Kindly let me know if I am missing anything. Thank You!
>
>  Regards,
> Rishabh Shah.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>


-- 
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150303/713d6860/attachment.html>


More information about the Snort-users mailing list