[Snort-users] Odp: RE: React option doesn't work

Robert Lasota wrkilu at ...3879...
Fri Mar 27 10:33:58 EDT 2015


Dnia Piątek, 27 Marca 2015 14:24 Al Lewis (allewi) <allewi at ...589...> napisał(a)
> That looks to be an Emerging Threat rule so you probably would want to contact them about that. There isnt a "content-list" rule option. The rule options are listed here: http://manual.snort.org/node32.html
>  
> As for the block page are you listing the page with the "config react: <block.html>" in your config file? The steps are listed here http://manual.snort.org/node26.html under the "react" section.
>  
> Note that the block|warn options under react are deprecated so you may want to try removing the 'block' from the react option.
>  
>  
> This is taken from the manual:
>  
> This is an example rule:
>  
>  
>     drop tcp any any -> any $HTTP_PORTS ( \
>         content: "d"; msg:"Unauthorized Access Prohibited!"; \
>         react: <react_opts>; sid:4;)
>  
>     <react_opts> ::= [msg] [, <dep_opts>]
>  
>  
> These options are deprecated:
>  
>  
>     <dep_opts> ::= [block|warn], [proxy <port#>]
>  
>  
>  
> Hope this helps.
>  


Well, this sample isn't clear for me. 
in rule I have now:
... rev:2; react: <react_opts>;  )

in snort.conf I've set:
config react: </opt/etc/snort/block.html>

and during starting there is error:

snort[23748]: FATAL ERROR: react: /opt/etc/snort/rules_tmp/emerging-current_events.rules(5347) can't stat react page file '</opt/etc/snort/block.html>'.

Also I don't know where exactly to set:
<react_opts> ::= [msg]
in snort.conf ? in rule ?

I regret there isn't on internet any samples, tutorials of above. Do only I use information page about blocking in IPS ? ;)








More information about the Snort-users mailing list