[Snort-users] Time filtering in Snort

wkitty42 at windstream.net wkitty42 at windstream.net
Mon Nov 13 19:11:14 EST 2017


On 11/13/2017 05:44 PM, Joel Esler (jesler) via Snort-users wrote:
> Please keep traffic on list.
> 
> Sent from my iPhone
> 
> On Nov 13, 2017, at 3:44 PM, Naas Si Ahmed <naas.si.ahmed at gmail.com> wrote:
> 
>> Thank you,
>>
>> Well, I'm trying to prevent my users not to use some sites during the working 
>> time ( all days but friday ).


then do that where it should be done... in the firewall, web proxy or possibly 
your DNS server... for example DNSMASQ can easily do this and you might simply 
change out the blocked conf with the unblocked by cron...


eg:
# dnsmasq.conf for [redacted]
[...]
# block these domains with NXDOMAIN
server=/example.com/
server=/facebook.com/
server=/fbcdn.net/
server=/fbcdn.com/
server=/facebook.net/


you can even redirect these requests to your own dedicated web server with a 
page informing the employee/individual of the blockage, why it is being blocked 
and possibly also noting that their attempted access has been tallied with 
reminder that too many tallies may result in remediation of some sort (eg: one 
day off without pay for 1st offense, one week off without pay for 2nd offense, 
no job for 3rd offense)...

let's just say that it completely stopped the mess "over here" *BUT* this was 
done only to reinforce corporate policy as stated in the employee handbook... 
without corporate policy in place, things might not be as easy to swing...

let's also not forget that social problems cannot be fought or dealt with via 
electronic means... social problems, like failing to follow the rules, require 
other means of enforcement and penalty...

YMMV

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*



More information about the Snort-users mailing list