snortattack

Hi to everyone,

Here the link of the working REACT :

link -> http://www.snortattack.org/docs/IPS_react.pdf

link -> http://www.snortattack.org/sp_react.c    (necessary for SNORT <= 2.8.3.2) 

For SNORT version > 2.8.3.2 edit the variable tmp_buf1[] (row 306)

For SNORT <= 2.8.3.2 edit the variable tmp_head[] (row 313)

HTTP/1.1 302 FOUND\r\nLocation:http://google.com\r\nServer: Snort/2.8.3.2\r\nConnection:Close\r\nContent-Type: text/html\r\n\r\n

*google.com redirect to this address.

example rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"REACT RULES";flow: to_server,established;content:"example.com";classtype: policy-violation;sid:9999; react: block, msg ;)

*example.com it's the website to block.

Enjoy!

Snortattack TEAM!