justinmartin123
Reputation: 51
Snort Website Block Rule
Trying to write a snort rule that prevents the system (using its IP) from accessing a specific website, tried this up to now.
alert tcp any any <> 'ipaddress' any (content: "web url"; msg: "Access Denied"; react:block; sid:1000005;)
Any ideas on why this won't work?
Upvotes: 5
Views: 16105
Answers (2)
Jon Taylor
Reputation: 7905
Snort has several actions which can be used:
- alert generate an alert using the selected alert method, and then log the packet
- log log the packet
- pass ignore the packet
- activate alert and then turn on another dynamic rule
- dynamic remain idle until activated by an activate rule , then act as a log rule
- drop block and log the packet
- reject block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
- sdrop block the packet but do not log it.
These can be found on the documentation page Snort Rule Headers
In your situation you want either drop, reject or sdrop, depending on whether you want to send a reset, and either log or not.
The reason your current one will not block is that alert will just log the packet.
Upvotes: 3
Jack Wilson
Reputation: 3
I'm not totally certain, but it may be that you are using alert which alerts the IDS where you should be using drop which just drops packets going to the specified URL.
Upvotes: 0
Related Questions
- Snort Rule to detect http, https and email
- snort | pcre| rule specification
- Snort rule failing to alert to log
- Snort Rules Configuration Issue
- snort ips rule - reject work but drop and sdrop dont work
- Snort rule to detect http flood
- Snort - Trying to understand how this snort rule works
- Issues with White and Blacklist entries in Snort
- Snort Rule to Alert DNS that has ACK
- How to block packets using snort?