Menu
▾
▴
Re: [Snort-inline-users] rule to test inline and transparent proxy question
|
From: Dale L. H. P.E. <dh...@ni...> - 2005-03-09 16:07:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The "180solutions.com" is not part of the uricontent. It is actually part of the URL (there is a difference). Therefore, it will fail the test. As an example of this sort of thing, go look at the actual rules at Bleeding Snort. You will see that there are content searches for the host, and other specific uricontent searches for the actual page requests and/or dynamic content requests: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/MALWARE/MALWARE_180Solutions And, for perhaps more information than you really wanted to know, you can look at the rfc that explains this far better than I can: ~ http://www.w3.org/Protocols/rfc2616/rfc2616.html I hope this helps. joe z wrote: | i have snort 2.3, compiled with --enable-inline, on a box behind a | firewall, inline, to scan traffic. two questions. al ittle history | first... when i enable transparent proxy (iptables -t nat -A | PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 ) by | itself, it works. just as a router, good. when i comment out the tp | and uncomment ( iptables -t mangle -A PREROUTING -j QUEUE ) | -without snort, it doesn't work(i.e no traffic passes); with snort | running (snort -D -Q -c /etc/snort/rules ) it works but doesn't | drop anything. ip_queue is loaded. i need advice on A. a rule to | test the inline drop functionality and/or advice on proper config.; | B.how to run inline and tranparent proxy; i tried: | | drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS | (msg:"BLEEDING-EDGE Malware 180solutions Spyware"; | uricontent:"180solutions.com"; nocase; classtype:trojan-activity; | reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; | flow:to_server,established; sid:2001051; rev:3;) | | and browsed to http://180solutions.com from an internal host. | obviously fruitlously. is that the wrong way to write a drop rule | or did i configure wrong? either way, a simple test drop rule would | be much appreciated... | | _________________________________________________________________ | Express yourself instantly with MSN Messenger! Download today - | it's FREE! | http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ | | | | ------------------------------------------------------- SF email is | sponsored by - The IT Product Guide Read honest & candid reviews on | hundreds of IT Products from real users. Discover which products | truly live up to the hype. Start reading now. | http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click | _______________________________________________ Snort-inline-users | mailing list Sno...@li... | https://lists.sourceforge.net/lists/listinfo/snort-inline-users | | - -- Dyslexics have more fnu. - -- Dale L. Handy, P.E. ~ dh...@ni... ~ http://www.nitrosecuity.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCLx9DJkJUIoExvsURAladAJwKVtZh1kLfUe6IP2LHn2vHq+r88wCeKr6z gl51LdP+F1smJvtvfq6IYT8= =jmJl -----END PGP SIGNATURE----- |
