[Snort-users] React option doesn't work

Robert Lasota wrkilu at ...3879...
Fri Mar 27 05:27:14 EDT 2015


I've installed newest Snort ( from source with options:
 ./configure --prefix=/opt/usr  --enable-sourcefire --with-daq-libraries=/opt/usr/lib/daq/ --with-daq-includes=/opt/usr/include/ --disable-gre --disable-mpls --disable-corefiles --disable-dlclose --enable-react --enable-active-response --enable-flexresp3

I run it in inline mode with options:
--daq nfq --daq-var queue=0 -D -Q -c /opt/etc/snort/snort.conf -l /var/log/snort --no-interface-pidfile

.. and its blocking traffic but unfortunately doesn't display message in webbrowser about this block.

Rule is:
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content-list:"exe"; msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase;  http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; classtype:bad-unknown; sid:2019714; rev:2;  react: block, msg; )

without content-list:"exe" it just blocks,
with content-list:"exe" don't even start because it has error:  Unknown rule option: 'content-list'.

So, what is going on ? how to fix it or... what is other way to display message in webbrowser during blocking (in inline mode with DAQ which we are using) ?

Please help us, we work on serious project with Snort and this is very important for us

Robert Lasota

More information about the Snort-users mailing list