[Snort-users] Block packets using snort with pf_ring
Al Lewis (allewi)
allewi at ...589...
Tue Sep 29 07:04:13 EDT 2015
Is your sensor inline?
You can test to see if the rule will drop by running snort something like this:
./bin/snort -c etc/test.conf -Q --daq dump --daq-var load-mode=read-file -r etc/test.pcap -l. -H -U -k none -q
The daq will dump an inline-out.pcap that you can look at and see the reset packets in there.
I just tested this on a rule and it works.
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...
From: Lavanya Kumar [mailto:lavanyakumar84 at ...11827...]
Sent: Tuesday, September 29, 2015 1:17 AM
To: snort-users at lists.sourceforge.net; Al Lewis (allewi)
Subject: Fwd: [Snort-users] Block packets using snort with pf_ring
Thanks for your reply,
i have changed my rule according to your suggestion,but it doesn't work.here is my rule.
drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook is Blocked" ; sid : 200001 ; rev : 1; resp: reset_both;)
my query is i would like to block some of the urls viz facebook,youtube,etc ..,within the network.I configured my server at router level and 1 client machines were connected to this server. Those machines should not allowed to access specified urls. I would like to achieve this using pf_ring without any packet loss.
09/28-14:23:45.058089 [Drop] [**] [1:200001:1] Facebook is Blocked [**] [Priority: 1]
i am getting this alert on the server machine but the client could access the website.
Previously, i could achieve this using daq -nfq module.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users