[Snort-users] Odp: Re: Odp: RE: React option doesn't work

Carter Waxman (cwaxman) cwaxman at ...589...
Fri Mar 27 15:24:03 EDT 2015


Can you check the connection with tcpdump from between Snort and the
client? Do you see a FIN for the http session.

On 3/27/15, 2:49 PM, "Robert Lasota" <wrkilu at ...3879...> wrote:

>Dnia Piątek, 27 Marca 2015 16:11 Carter Waxman (cwaxman)
><cwaxman at ...589...> napisał(a)
>> Do you have those angle brackets in the config line? It should be
>>  
>> config react: /opt/etc/snort/block.html
>>  
>> Those options would be part of the rule, following the react keyword,
>>but
>> simply specifying react and including the "config react" line in
>> snort.conf should be sufficient to show block.html.
>>  
>
>I have "config react: /opt/etc/snort/block.html" in snort.conf
>
>The rule is (from man), and this is the only rule I have now in Snort:
>drop tcp any any -> any $HTTP_PORTS ( content: "d"; msg:"Unauthorized
>Access Prohibited!"; react: msg; sid:4;)
>
>block.html is:
><html>
><head>
><title>INFO</title>
></head>
><body>
><p>Access denied</p>
></body>
></html>
>
>
>and nothing :(, I mean its blocking, in log is:
>Mar 27 18:46:07 ip-10-192-2-120 snort[4956]: [1:4:0] Unauthorized Access
>Prohibited! {TCP} 10.192.1.91:54562 -> 212.77.98.9:80
>
>but still no info page in webbrowser , just "the connection was reset"
>
>
>
>
>>  
>> On 3/27/15, 10:33 AM, "Robert Lasota" <wrkilu at ...3879...> wrote:
>>  
>> >Dnia Piątek, 27 Marca 2015 14:24 Al Lewis (allewi) <allewi at ...589...>
>> >napisał(a)
>> >> That looks to be an Emerging Threat rule so you probably would want
>>to
>> >>contact them about that. There isnt a "content-list" rule option. The
>> >>rule options are listed here: http://manual.snort.org/node32.html
>> >> 
>> >> As for the block page are you listing the page with the "config
>>react:
>> >><block.html>" in your config file? The steps are listed here
>> >>http://manual.snort.org/node26.html under the "react" section.
>> >> 
>> >> Note that the block|warn options under react are deprecated so you
>>may
>> >>want to try removing the 'block' from the react option.
>> >> 
>> >> 
>> >> This is taken from the manual:
>> >> 
>> >> This is an example rule:
>> >> 
>> >> 
>> >>     drop tcp any any -> any $HTTP_PORTS ( \
>> >>         content: "d"; msg:"Unauthorized Access Prohibited!"; \
>> >>         react: <react_opts>; sid:4;)
>> >> 
>> >>     <react_opts> ::= [msg] [, <dep_opts>]
>> >> 
>> >> 
>> >> These options are deprecated:
>> >> 
>> >> 
>> >>     <dep_opts> ::= [block|warn], [proxy <port#>]
>> >> 
>> >> 
>> >> 
>> >> Hope this helps.
>> >> 
>> >
>> >
>> >Well, this sample isn't clear for me.
>> >in rule I have now:
>> >... rev:2; react: <react_opts>;  )
>> >
>> >in snort.conf I've set:
>> >config react: </opt/etc/snort/block.html>
>> >
>> >and during starting there is error:
>> >
>> >snort[23748]: FATAL ERROR: react:
>> >/opt/etc/snort/rules_tmp/emerging-current_events.rules(5347) can't stat
>> >react page file '</opt/etc/snort/block.html>'.
>> >
>> >Also I don't know where exactly to set:
>> ><react_opts> ::= [msg]
>> >in snort.conf ? in rule ?
>> >
>> >I regret there isn't on internet any samples, tutorials of above. Do
>>only
>> >I use information page about blocking in IPS ? ;)
>> >
>> >
>> >
>> >
>> >
>> 
>>>------------------------------------------------------------------------
>>>--
>> >----
>> >Dive into the World of Parallel Programming The Go Parallel Website,
>> >sponsored
>> >by Intel and developed in partnership with Slashdot Media, is your hub
>> >for all
>> >things parallel software development, from weekly thought leadership
>> >blogs to
>> >news, videos, case studies, tutorials and more. Take a look and join
>>the
>> >conversation now. http://goparallel.sourceforge.net/
>> >_______________________________________________
>> >Snort-users mailing list
>> >Snort-users at lists.sourceforge.net
>> >Go to this URL to change user options or unsubscribe:
>> >https://lists.sourceforge.net/lists/listinfo/snort-users
>> >Snort-users list archive:
>> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> >Please visit http://blog.snort.org to stay current on all the latest
>> >Snort news!
>
>
> 
>
>
>





More information about the Snort-users mailing list