[Snort-users] Odp: Re: Odp: RE: React option doesn't work

Robert Lasota wrkilu at ...3879...
Fri Mar 27 14:49:58 EDT 2015


Dnia Piątek, 27 Marca 2015 16:11 Carter Waxman (cwaxman) <cwaxman at ...589...> napisał(a)
> Do you have those angle brackets in the config line? It should be
>  
> config react: /opt/etc/snort/block.html
>  
> Those options would be part of the rule, following the react keyword, but
> simply specifying react and including the "config react" line in
> snort.conf should be sufficient to show block.html.
>  

I have "config react: /opt/etc/snort/block.html" in snort.conf

The rule is (from man), and this is the only rule I have now in Snort:
drop tcp any any -> any $HTTP_PORTS ( content: "d"; msg:"Unauthorized Access Prohibited!"; react: msg; sid:4;)

block.html is:
<html>
<head>
<title>INFO</title>
</head>
<body>
<p>Access denied</p>
</body>
</html>


and nothing :(, I mean its blocking, in log is:
Mar 27 18:46:07 ip-10-192-2-120 snort[4956]: [1:4:0] Unauthorized Access Prohibited! {TCP} 10.192.1.91:54562 -> 212.77.98.9:80

but still no info page in webbrowser , just "the connection was reset"




>  
> On 3/27/15, 10:33 AM, "Robert Lasota" <wrkilu at ...3879...> wrote:
>  
> >Dnia Piątek, 27 Marca 2015 14:24 Al Lewis (allewi) <allewi at ...589...>
> >napisał(a)
> >> That looks to be an Emerging Threat rule so you probably would want to
> >>contact them about that. There isnt a "content-list" rule option. The
> >>rule options are listed here: http://manual.snort.org/node32.html
> >> 
> >> As for the block page are you listing the page with the "config react:
> >><block.html>" in your config file? The steps are listed here
> >>http://manual.snort.org/node26.html under the "react" section.
> >> 
> >> Note that the block|warn options under react are deprecated so you may
> >>want to try removing the 'block' from the react option.
> >> 
> >> 
> >> This is taken from the manual:
> >> 
> >> This is an example rule:
> >> 
> >> 
> >>     drop tcp any any -> any $HTTP_PORTS ( \
> >>         content: "d"; msg:"Unauthorized Access Prohibited!"; \
> >>         react: <react_opts>; sid:4;)
> >> 
> >>     <react_opts> ::= [msg] [, <dep_opts>]
> >> 
> >> 
> >> These options are deprecated:
> >> 
> >> 
> >>     <dep_opts> ::= [block|warn], [proxy <port#>]
> >> 
> >> 
> >> 
> >> Hope this helps.
> >> 
> >
> >
> >Well, this sample isn't clear for me.
> >in rule I have now:
> >... rev:2; react: <react_opts>;  )
> >
> >in snort.conf I've set:
> >config react: </opt/etc/snort/block.html>
> >
> >and during starting there is error:
> >
> >snort[23748]: FATAL ERROR: react:
> >/opt/etc/snort/rules_tmp/emerging-current_events.rules(5347) can't stat
> >react page file '</opt/etc/snort/block.html>'.
> >
> >Also I don't know where exactly to set:
> ><react_opts> ::= [msg]
> >in snort.conf ? in rule ?
> >
> >I regret there isn't on internet any samples, tutorials of above. Do only
> >I use information page about blocking in IPS ? ;)
> >
> >
> >
> >
> >
> >--------------------------------------------------------------------------
> >----
> >Dive into the World of Parallel Programming The Go Parallel Website,
> >sponsored
> >by Intel and developed in partnership with Slashdot Media, is your hub
> >for all
> >things parallel software development, from weekly thought leadership
> >blogs to
> >news, videos, case studies, tutorials and more. Take a look and join the
> >conversation now. http://goparallel.sourceforge.net/
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> >Snort news!


 







More information about the Snort-users mailing list