Re: help - React keyword use to display message on web browser

[Amul Patel <amulpatel.biz () gmail com>]

Thanks Albert quick update,

I am using NFQ as data packet source & already check parallel  tcpdump
command on given interface and generated .pcap file.

I opened pcap in wire-shark tool but I did not see any packet related to
message on pcap file.
It seems snort is not sending message.

Do you have any sample pcap file which show the message is sent by snort
for the reference ?

Thanks ,
Amul Patel



On Fri, Mar 25, 2016 at 6:04 PM, Al Lewis (allewi) <allewi () cisco com> wrote:

> Hello,
>
>
>
> Try running snort with “--daq dump --daq-var load-mode=read-file -Q” so it
> will dump a file “inline-out.pcap”.
>
>
>
> You can check that file to see if the page is being sent. That should tell
> you if there is something wrong with the config or network related.
>
>
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* Amul Patel [mailto:amulpatel.biz () gmail com]
> *Sent:* Friday, March 25, 2016 5:59 AM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] help - React keyword use to display message on
> web browser
>
>
>
> Hello Team,
>
>
>
> I need help to use of react keyword to display message (default or user
> defined) to web browser.
>
>
>
> I am using snort version 2.9.8.0 in linux machine.
>
>
>
> I have enabled required command option during configuration as mentioned
> below:
>
>
>
> ./configure  --enable-active-response --enable-react --enable-flexresp3 \
>
>
>
> I am executing snort as inline mode -
>
>
>
> /usr/bin/snort -Q -k  none  -v -dev -c /etc/snort/snort.conf
>
>
>
> following the rule i am using
>
>
>
> drop tcp any any -> any any (msg: "GET Packet is not
> allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879;react,msg)
>
>
>
> It is blocking & logging the message in csv log file but does not send
> default message or rule message to browser.
>
> Just a "connection reset" message is displayed at web browser.
>
>
>
> Even I tried lot of different options with different rule, changed sid, no
> msg keyword with react, snort in tap mode etc but does not work any option.
>
>
>
> I checked react.c file where default HTTP & HTML page is declared .. tried
> to understand code as well to see if any bug there..
>
>
>
> Can any one help me out to display message on web browser ?
>
> Does any firewall rule is also needed or any other setting apart from
> snort ?
>
>
>
>
>
> Thanks in Advanced,
>
> Regards,
>
> Amul Patel



-- 





*Thanks & Regards,Amul Patel07875648886*

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!