[Snort-users] Odp: Re: Odp: RE: React option doesn't work

Victor Roemer viroemer at ...589...
Fri Mar 27 15:02:39 EDT 2015


Robert,

Can you review your daq options please; looking at the README from the 
daq tar.gz, it looks like you need to add:

--daq-var device=<dev>

Here is a snippet that I am refering too

-------- 8< -------
NFQ Module
==========

NFQ is the new and improved way to process iptables packets:

     ./snort --daq nfq \
         [--daq-var device=<dev>] \
         [--daq-var proto=<proto>] \
         [--daq-var queue=<qid>]

     <dev> ::= ip | eth0, etc; default is IP injection
     <proto> ::= ip4 | ip6 |; default is ip4
     <qid> ::= 0..65535; default is 0

This module can not run unprivileged so ./snort -u -g will produce a warning
and won't change user or group.

----- 8< -----

~victor

On 03/27/15 14:49, Robert Lasota wrote:
> Dnia Piątek, 27 Marca 2015 16:11 Carter Waxman (cwaxman) <cwaxman at ...589...> napisał(a)
>> Do you have those angle brackets in the config line? It should be
>>   
>> config react: /opt/etc/snort/block.html
>>   
>> Those options would be part of the rule, following the react keyword, but
>> simply specifying react and including the "config react" line in
>> snort.conf should be sufficient to show block.html.
>>   
> I have "config react: /opt/etc/snort/block.html" in snort.conf
>
> The rule is (from man), and this is the only rule I have now in Snort:
> drop tcp any any -> any $HTTP_PORTS ( content: "d"; msg:"Unauthorized Access Prohibited!"; react: msg; sid:4;)
>
> block.html is:
> <html>
> <head>
> <title>INFO</title>
> </head>
> <body>
> <p>Access denied</p>
> </body>
> </html>
>
>
> and nothing :(, I mean its blocking, in log is:
> Mar 27 18:46:07 ip-10-192-2-120 snort[4956]: [1:4:0] Unauthorized Access Prohibited! {TCP} 10.192.1.91:54562 -> 212.77.98.9:80
>
> but still no info page in webbrowser , just "the connection was reset"
>
>
>
>
>>   
>> On 3/27/15, 10:33 AM, "Robert Lasota" <wrkilu at ...3879...> wrote:
>>   
>>> Dnia Piątek, 27 Marca 2015 14:24 Al Lewis (allewi) <allewi at ...589...>
>>> napisał(a)
>>>> That looks to be an Emerging Threat rule so you probably would want to
>>>> contact them about that. There isnt a "content-list" rule option. The
>>>> rule options are listed here: http://manual.snort.org/node32.html
>>>>
>>>> As for the block page are you listing the page with the "config react:
>>>> <block.html>" in your config file? The steps are listed here
>>>> http://manual.snort.org/node26.html under the "react" section.
>>>>
>>>> Note that the block|warn options under react are deprecated so you may
>>>> want to try removing the 'block' from the react option.
>>>>
>>>>
>>>> This is taken from the manual:
>>>>
>>>> This is an example rule:
>>>>
>>>>
>>>>      drop tcp any any -> any $HTTP_PORTS ( \
>>>>          content: "d"; msg:"Unauthorized Access Prohibited!"; \
>>>>          react: <react_opts>; sid:4;)
>>>>
>>>>      <react_opts> ::= [msg] [, <dep_opts>]
>>>>
>>>>
>>>> These options are deprecated:
>>>>
>>>>
>>>>      <dep_opts> ::= [block|warn], [proxy <port#>]
>>>>
>>>>
>>>>
>>>> Hope this helps.
>>>>
>>>
>>> Well, this sample isn't clear for me.
>>> in rule I have now:
>>> ... rev:2; react: <react_opts>;  )
>>>
>>> in snort.conf I've set:
>>> config react: </opt/etc/snort/block.html>
>>>
>>> and during starting there is error:
>>>
>>> snort[23748]: FATAL ERROR: react:
>>> /opt/etc/snort/rules_tmp/emerging-current_events.rules(5347) can't stat
>>> react page file '</opt/etc/snort/block.html>'.
>>>
>>> Also I don't know where exactly to set:
>>> <react_opts> ::= [msg]
>>> in snort.conf ? in rule ?
>>>
>>> I regret there isn't on internet any samples, tutorials of above. Do only
>>> I use information page about blocking in IPS ? ;)
>>>
>>>
>>>
>>>
>>>
>>> --------------------------------------------------------------------------
>>> ----
>>> Dive into the World of Parallel Programming The Go Parallel Website,
>>> sponsored
>>> by Intel and developed in partnership with Slashdot Media, is your hub
>>> for all
>>> things parallel software development, from weekly thought leadership
>>> blogs to
>>> news, videos, case studies, tutorials and more. Take a look and join the
>>> conversation now. http://goparallel.sourceforge.net/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>
>   
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list