Snort mailing list archives

Re: Snort react should return HTTP 302 instead of HTTP 403

From: Rishabh Shah <rishabh420 () gmail com>
Date: Tue, 3 Mar 2015 20:43:03 +0530

Hi Russ,

It started working after creating the following html file. Thanks for your
help.

<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>Error 403 Permission denied</title>
<style>
<!--
        body {font-family: arial,sans-serif}
        img { border:none; }
//-->
</style>
</head>
<body>
<blockquote>
        <h2>Error 403 Permission denied</h2>
        <p>You do not have permission to retrieve the URL or link you
requested</p>
           Please inform the administrato of the referring page, if you
think this was a mistake.
</blockquote>
</body>
</html>



On Mon, Mar 2, 2015 at 7:27 PM, Russ <rucombs () cisco com> wrote:

 Two comments below ...

On 2/26/15 2:07 AM, Rishabh Shah wrote:

Hi Snort Team,

 Is it possible that Snort can return a HTTP 302 page instead of HTTP 403
forbidden when react is configured in the configuration file?

Yes.  The configured must be the actual HTTP response (headers and body)
and not just the page content you want to see.  If you are still having
trouble, please send tcpdump style output of response packet.


 I have defined "config react: /var/www/html/block.html" in my
configuration file and my traffic hits the following rule:
 reject tcp any any -> any any (msg:"Illegal access"; appid: facebook;
sid: 1020120; rev: 1; react: msg;)

 On my windows client, I receive an HTTP 403 forbidden after sending a
facebook request as shown in the packet capture below:

 GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, */*
 Accept-Language: en-US
 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
 Accept-Encoding: gzip, deflate
 Host: www.facebook.com
 Connection: Keep-Alive
 Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l


 *HTTP/1.1 403 Forbidden*
*Connection: close*
*Content-Type: text/html; charset=utf-8*
*Content-Length: 99*


*<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p>
</body> </html> *

 <^Content of block.html>

 But I want Snort to return HTTP 302 instead of HTTP 403, as the above
message doesn't get displayed in the browser when the response is HTTP 403.

 I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c"
(replacing *HTTP/1.1 403 Forbidden\r\n* to *HTTP/1.1 302 Moved
Temporarily*\r\n )and did a make/make install to update the sp.react.o
(object file). But I am still receiving HTTP 403.

You should not need to change the code.  Since you didn't get any
different ouptut, are you sure you are running the correct binary?


 Kindly let me know if I am missing anything. Thank You!

 Regards,
Rishabh Shah.


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/



_______________________________________________
Snort-users mailing listSnort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Regards,
Rishabh Shah.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Feb 25)
- Re: Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Mar 02)
- Re: Snort react should return HTTP 302 instead of HTTP 403 Russ (Mar 02)
  - Re: Snort react should return HTTP 302 instead of HTTP 403 Rishabh Shah (Mar 03)