Snort Website Block Rule

snort
justinmartin123 picture justinmartin123 · Nov 3, 2016 · Viewed 9.4k times · Source

Trying to write a snort rule that prevents the system (using its IP) from accessing a specific website, tried this up to now.

alert tcp any any <> 'ipaddress' any (content: "web url"; msg: "Access Denied"; react:block; sid:1000005;)

Any ideas on why this won't work?

Answer

Jon Taylor picture Jon Taylor · Nov 13, 2016

Snort has several actions which can be used:

  • alert generate an alert using the selected alert method, and then log the packet
  • log log the packet
  • pass ignore the packet
  • activate alert and then turn on another dynamic rule
  • dynamic remain idle until activated by an activate rule , then act as a log rule
  • drop block and log the packet
  • reject block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
  • sdrop block the packet but do not log it.

These can be found on the documentation page Snort Rule Headers

In your situation you want either drop, reject or sdrop, depending on whether you want to send a reset, and either log or not.

The reason your current one will not block is that alert will just log the packet.

Related questions

How to view snort log files

I have been working with snort-IDS. I have got some log files at /var/log/snort. The files are of type snort.log.xxxx. How do i view this file???

Read More
Snort Message - WARNING: No preprocessors configured for policy 0

I have installed and configured snort 2.9.7.2 and it is running without a problem. However, my question is: what does the following warning mean? "No preprocessors configured for policy 0" This message shows when I run the command: snort -v

Read More
Read the alert log from snort

I have a new instance with snort setup. When I tried to look at the alert log I noticed that the directory doesn't have a /var/log/snort/alert file. I tried to touch this file and to chmod to …

Read More