[Snort-users] Block packets using snort with pf_ring

Al Lewis (allewi) allewi at ...589...
Tue Sep 29 07:04:13 EDT 2015


Is your sensor inline?

You can test to see if the rule will drop by running snort something like this:

./bin/snort -c etc/test.conf -Q --daq dump --daq-var load-mode=read-file -r etc/test.pcap -l. -H -U -k none -q

The daq will dump an inline-out.pcap that you can look at and see the reset packets in there.

I just tested this on a rule and it works.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Lavanya Kumar [mailto:lavanyakumar84 at ...11827...]
Sent: Tuesday, September 29, 2015 1:17 AM
To: snort-users at lists.sourceforge.net; Al Lewis (allewi)
Subject: Fwd: [Snort-users] Block packets using snort with pf_ring



Thanks for your reply,
        i have changed my rule according to your suggestion,but it doesn't work.here is my rule.
drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook is Blocked" ; sid : 200001 ; rev : 1; resp: reset_both;)

my query is i would like to block some of the urls viz facebook,youtube,etc ..,within the network.I configured my server at router level and 1 client machines were connected to this server. Those machines should not allowed to access specified urls. I would like to achieve this using pf_ring without any packet loss.

09/28-14:23:45.058089  [Drop] [**] [1:200001:1] Facebook is Blocked [**] [Priority: 1]

i am getting this alert on the server machine but the client could access the website.

Previously, i could  achieve this using daq -nfq module.

Thanks,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150929/93ef9bc3/attachment.html>


More information about the Snort-users mailing list