104


Chapter 3     Working with Snort Rules


alert ip any any  > any any (ipopts: lsrr; \


   msg: "Loose source routing attempt"; priority: 10;)


The priority keyword can be used to differentiate high priority and low priority


alerts.


3.6.21 The react Keyword


The react keyword is used with a rule to terminate a session to block some sites or


services. Not all options with this keyword are operational. The following rule will


block all HTTP connections originating from your home network 192.168.1.0/24. To


block the HTTP access, it will send a TCP FIN and/or FIN packet to both sending and


receiving hosts every time it detects a packet that matches these criteria. The rule causes


a connection to be closed.


alert tcp 192.168.1.0/24 any  > any 80 (msg: "Outgoing \


   HTTP connection"; react: block;)


In the above rule, block is the basic modifier. You can also use the warn modifier


to send a visual notice to the source. You can also use the additional modifier msg


which will include the msg string in the visual notification on the browser. The follow 


ing is an example of this additional modifier.


alert tcp 192.168.1.0/24 any  > any 80 (msg: "Outgoing \


   HTTP connection ; react: warn, msg;)


In order to use the react keyword, you should compile Snort with   enable 


flexresp command line option in the configure script. For a discussion of the compi 


lation process, refer to Chapter 2.


The react should be the last keyword in the options field. The warn modifier still


does not work properly in the version of Snort I am using.


3.6.22 The reference Keyword


The reference keyword can add a reference to information present on other sys 


tems available on the Internet. It does not play any role in the detection mechanism


itself and you can safely ignore it as far as writing Snort rules is concerned. There are


many reference systems available, such as CVE and Bugtraq. These systems keep addi 


tional information about known attacks. By using this keyword, you can link to this


additional information in the alert message. For example, look at the following rule in


the misc.rules file distributed with Snort:








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved