<div dir="ltr">Good morning,<br><br>This is my case :<br><br>Bridging is successful since I have net connection in my host<br><br>---Net-Router(172.20.81.1)-----<- Bridge (suricata in computer (with 2 cards) ->------ my host (172.20.81.101)<br>
<div dir="ltr">                                                                              
br0 eth1 eth0<br><b>But</b> when i tried this rule :<br><br><span style="color: rgb(0, 0, 153);">drop tcp 172.20.81.101 any -> any any (content:"facebook"; msg:"Attention, Facebook !!!"; sid:1000002; rev:1;)</span><br style="color: rgb(0, 0, 153);">
<span style="color: rgb(0, 0, 0);">or :</span><br style="color: rgb(0, 0, 153);"><span style="color: rgb(0, 0, 153);">drop tcp any any -> any any (content:"facebook"; msg:"Attention, Facebook !!!"; sid:1000002; rev:1;)</span><br>

<br><br>I just have an alert, but I can enter to facebook.........!!!<br><br><font style="color: rgb(102, 0, 0);" size="1">07/26/10-08:28:07.517395  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1740/" target="_blank">172.20.80.100:1740</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:08.206148  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1742/" target="_blank">172.20.80.100:1742</a> -> <a href="http://72.14.235.100/" target="_blank">72.14.235.100:80</a><br>

07/26/10-08:28:08.380125  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1740/" target="_blank">172.20.80.100:1740</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:09.079290  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1741/" target="_blank">172.20.80.100:1741</a> -> <a href="http://67.18.23.65/" target="_blank">67.18.23.65:80</a><br>

07/26/10-08:28:09.544135  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1745/" target="_blank">172.20.80.100:1745</a> -> <a href="http://87.248.218.92/" target="_blank">87.248.218.92:80</a><br>

07/26/10-08:28:09.639904  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1746/" target="_blank">172.20.80.100:1746</a> -> <a href="http://68.87.64.116/" target="_blank">68.87.64.116:80</a><br>

07/26/10-08:28:09.653826  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1744/" target="_blank">172.20.80.100:1744</a> -> <a href="http://67.18.23.65/" target="_blank">67.18.23.65:80</a><br>

07/26/10-08:28:09.830274  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1748/" target="_blank">172.20.80.100:1748</a> -> <a href="http://4.71.209.15/" target="_blank">4.71.209.15:80</a><br>

07/26/10-08:28:10.008049  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1747/" target="_blank">172.20.80.100:1747</a> -> <a href="http://209.85.227.100/" target="_blank">209.85.227.100:80</a><br>

07/26/10-08:28:10.300653  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1749/" target="_blank">172.20.80.100:1749</a> -> <a href="http://68.87.78.149/" target="_blank">68.87.78.149:80</a><br>

07/26/10-08:28:11.977590  [**] [1:485:5] ICMP Destination Unreachable 
Communication Administratively Prohibited [**] [Classification: Misc 
activity] [Priority: 3] {1} <a href="http://172.20.80.1:3/" target="_blank">172.20.80.1:3</a> -> <a href="http://172.20.80.100:13/" target="_blank">172.20.80.100:13</a><br>
07/26/10-08:28:17.931527  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1740/" target="_blank">172.20.80.100:1740</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:21.189125  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1750/" target="_blank">172.20.80.100:1750</a> -> <a href="http://66.220.146.11/" target="_blank">66.220.146.11:80</a><br>

07/26/10-08:28:38.168496  [**] [1:485:5] ICMP Destination Unreachable 
Communication Administratively Prohibited [**] [Classification: Misc 
activity] [Priority: 3] {1} <a href="http://172.20.80.1:3/" target="_blank">172.20.80.1:3</a> -> <a href="http://172.20.80.100:13/" target="_blank">172.20.80.100:13</a><br>
07/26/10-08:28:42.299672  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1770/" target="_blank">172.20.80.100:1770</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:44.941011  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1804/" target="_blank">172.20.80.100:1804</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:47.559393  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1839/" target="_blank">172.20.80.100:1839</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:49.628545  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1848/" target="_blank">172.20.80.100:1848</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:51.678339  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1862/" target="_blank">172.20.80.100:1862</a> -> <a href="http://66.220.146.11/" target="_blank">66.220.146.11:80</a><br>

07/26/10-08:28:52.378889  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1799/" target="_blank">172.20.80.100:1799</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:28:54.486073  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1875/" target="_blank">172.20.80.100:1875</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:28:56.420210  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1889/" target="_blank">172.20.80.100:1889</a> -> <a href="http://87.98.130.52/" target="_blank">87.98.130.52:80</a><br>

07/26/10-08:29:04.413680  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1926/" target="_blank">172.20.80.100:1926</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:29:08.820362  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1946/" target="_blank">172.20.80.100:1946</a> -> <a href="http://72.14.235.100/" target="_blank">72.14.235.100:80</a><br>

07/26/10-08:29:09.216669  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1949/" target="_blank">172.20.80.100:1949</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:29:12.252341  [**] [1:485:5] ICMP Destination Unreachable 
Communication Administratively Prohibited [**] [Classification: Misc 
activity] [Priority: 3] {1} <a href="http://172.20.80.1:3/" target="_blank">172.20.80.1:3</a> -> <a href="http://172.20.80.100:13/" target="_blank">172.20.80.100:13</a><br>
07/26/10-08:29:13.124177  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1964/" target="_blank">172.20.80.100:1964</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:29:13.709394  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1967/" target="_blank">172.20.80.100:1967</a> -> <a href="http://66.220.146.11/" target="_blank">66.220.146.11:80</a><br>

07/26/10-08:29:13.997069  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1974/" target="_blank">172.20.80.100:1974</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:14.158277  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1976/" target="_blank">172.20.80.100:1976</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:14.191434  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1976/" target="_blank">172.20.80.100:1976</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:14.206014  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1976/" target="_blank">172.20.80.100:1976</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:15.576897  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1974/" target="_blank">172.20.80.100:1974</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:21.263951  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:1997/" target="_blank">172.20.80.100:1997</a> -> <a href="http://67.18.23.65/" target="_blank">67.18.23.65:80</a><br>

07/26/10-08:29:24.106282  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2027/" target="_blank">172.20.80.100:2027</a> -> <a href="http://66.220.146.11/" target="_blank">66.220.146.11:80</a><br>

07/26/10-08:29:43.536743  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2048/" target="_blank">172.20.80.100:2048</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:44.225171  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2048/" target="_blank">172.20.80.100:2048</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:44.269318  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2048/" target="_blank">172.20.80.100:2048</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:44.582251  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2048/" target="_blank">172.20.80.100:2048</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:46.024928  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2049/" target="_blank">172.20.80.100:2049</a> -> <a href="http://80.157.170.80/" target="_blank">80.157.170.80:80</a><br>

07/26/10-08:29:46.158738  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2048/" target="_blank">172.20.80.100:2048</a> -> <a href="http://196.12.213.56/" target="_blank">196.12.213.56:80</a><br>

07/26/10-08:29:46.778466  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2050/" target="_blank">172.20.80.100:2050</a> -> <a href="http://80.157.170.73/" target="_blank">80.157.170.73:80</a><br>

07/26/10-08:29:46.850379  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2050/" target="_blank">172.20.80.100:2050</a> -> <a href="http://80.157.170.73/" target="_blank">80.157.170.73:80</a><br>

07/26/10-08:29:47.447351  [**] [1:485:5] ICMP Destination Unreachable 
Communication Administratively Prohibited [**] [Classification: Misc 
activity] [Priority: 3] {1} <a href="http://172.20.80.1:3/" target="_blank">172.20.80.1:3</a> -> <a href="http://172.20.80.100:13/" target="_blank">172.20.80.100:13</a><br>
07/26/10-08:29:50.837632  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2054/" target="_blank">172.20.80.100:2054</a> -> <a href="http://196.12.213.57/" target="_blank">196.12.213.57:80</a><br>

07/26/10-08:29:51.511817  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:51.578581  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:51.649844  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:51.973257  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:52.343481  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:53.313476  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:54.678733  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:55.056374  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:55.398719  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:55.733208  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:57.166266  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:57.293175  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:57.812568  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2058/" target="_blank">172.20.80.100:2058</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:58.522060  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:58.589148  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:58.657140  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:29:59.509121  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:00.129142  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:00.194528  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:00.555942  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:00.646232  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2057/" target="_blank">172.20.80.100:2057</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:00.874448  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2058/" target="_blank">172.20.80.100:2058</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:01.396735  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:01.491180  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:01.560120  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:01.939659  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:02.238916  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:02.838980  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:04.038863  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:04.822896  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2075/" target="_blank">172.20.80.100:2075</a> -> <a href="http://67.18.23.65/" target="_blank">67.18.23.65:80</a><br>

07/26/10-08:30:05.234740  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:05.995330  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2078/" target="_blank">172.20.80.100:2078</a> -> <a href="http://72.14.235.104/" target="_blank">72.14.235.104:80</a><br>

07/26/10-08:30:06.429322  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2080/" target="_blank">172.20.80.100:2080</a> -> <a href="http://208.80.152.2/" target="_blank">208.80.152.2:80</a><br>

07/26/10-08:30:06.438720  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:08.541125  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2077/" target="_blank">172.20.80.100:2077</a> -> <a href="http://67.18.23.65/" target="_blank">67.18.23.65:80</a><br>

07/26/10-08:30:13.636323  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2061/" target="_blank">172.20.80.100:2061</a> -> <a href="http://93.186.135.89/" target="_blank">93.186.135.89:80</a><br>

07/26/10-08:30:13.892064  [**] [1:1000002:1] Attention, Facebook !!! [**] [Classification: (null)] [Priority: 3] {6} <a href="http://172.20.80.100:2095/" target="_blank">172.20.80.100:2095</a> -> <a href="http://67.18.23.65/" target="_blank">67.18.23.65:80</a></font></div>
<br>Packets are not dropped ! can someone explain to me why ?<br><br>this is the iptables configurtion of the bridge<br><br>iptables -A INPUT -j NFQUEUE<br>
iptables -A FORWARD -j NFQUEUE<br>
iptables -A OUTPUT -j NFQUEUE<br><br><br>Thank you,<br>Cheers.<br><br style="color: rgb(192, 192, 192);"><span style="color: rgb(192, 192, 192);">A..</span><br><br><br><div class="gmail_quote">2010/7/27 Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">The dropping appears to work if a 'content:"/";' is added like this:<br>
<div class="im"><br>
drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http<br>
</div>link"; sid:1; content:"/";)<br>
<br>
It should work without it as well though, so opened a bug ticket for it:<br>
<br>
<a href="https://redmine.openinfosecfoundation.org/issues/221" target="_blank">https://redmine.openinfosecfoundation.org/issues/221</a><br>
<br>
Thanks for the report Morgan!<br>
<br>
Cheers,<br>
<font color="#888888">Victor<br>
</font><div><div></div><div class="h5"><br>
Morgan Cox wrote:<br>
> Hi.<br>
><br>
> I am quite familiar with running snort in inline mode.<br>
><br>
> I have setup bridging mode on Ubuntu Lucid  = eth0+eth1 = br0<br>
><br>
> , I have added emerging and VRS rules.<br>
><br>
> It is running ok - but ignoring my test (drop) rule<br>
><br>
> I want suricata to examine all traffic (including to the Suricata server)<br>
><br>
> I have used a startup script:-<br>
><br>
> /sbin/iptables -A INPUT -j NFQUEUE --queue-num 0<br>
> /sbin/iptables -A FORWARD -j NFQUEUE --queue-num 0<br>
> /sbin/iptables -A OUTPUT -j NFQUEUE --queue-num 0<br>
> sleep 1<br>
> /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D<br>
> --pidfile=/var/run/suricata.pid<br>
><br>
> For my test rule I just want it to drop all attempts to go to port 80<br>
> (for the Bridge + the Suricata server)<br>
><br>
> Previously I have used<br>
><br>
><br>
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80<br>
> connection initiated";)<br>
><br>
> But it errors:-<br>
><br>
> [1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error><br>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error<br>
> parsing signature "drop tcp any any -> any 80 (msg:"Snort_Inline is<br>
> blocking the http link";) " from file<br>
> /etc/suricata/rules/emerging-malware.rules at line 1314<br>
><br>
> - somehow the syntax isn't working.<br>
><br>
><br>
><br>
> If I use:-<br>
><br>
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80<br>
> connection initiated";)<br>
><br>
> I get no errors (in the log) but can still access port 80 on the<br>
> Suricate server - i.e :-<br>
><br>
> <a href="http://ipaddressofsuricataserver.com:80" target="_blank">http://ipaddressofsuricataserver.com:80</a><br>
><br>
> And I get nothing in the logs, no alert + no drop - so my test rule<br>
> isn't working.<br>
><br>
><br>
> Lastly I have tried (from the blog)<br>
><br>
> drop tcp any any -> any 80 (msg:"testing drop"; content:"*";<br>
> http_header; sid:123321;)<br>
><br>
> This does trigger an 'alert' when I go to<br>
><br>
> <a href="http://ipaddressofsuricataserver.com:80" target="_blank">http://ipaddressofsuricataserver.com:80</a><br>
><br>
> in fast.log :-<br>
><br>
> 07/26/10-14:01:54.377706  [**] [1:123321:0] testing drop [**]<br>
> [Classification: (null)] [Priority: 3] {6} (clientIP):49769 -> (serverip):80<br>
><br>
> The issue is is that it is NOT blocking - I can still access it.<br>
><br>
> Can anyone suggest how to make it drop correctly ?<br>
><br>
> Cheers<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
</div></div>> ------------------------------------------------------------------------<br>
<div class="im">><br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
</div><div class="im">> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</div><div class="im">_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
</div><div><div></div><div class="h5"><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br></div>