[Oisf-wg-ruleslanguage] Block metafile content
Will Metcalf
william.metcalf at gmail.com
Thu Aug 5 20:54:06 UTC 2010
Just to be clear.. With reject rules there is never a guarantee they
will work. It is essentially a race. Also currently the code isn't
very intelligent for sending out resets. For example if you have a
management interface and sniffing interface without an ip address
assigned the resets will always go out your management interface. We
should add an option to send out resets via a l2 interface. I will
add a feature request for this.
Regards,
Will
On Wed, Aug 4, 2010 at 9:11 PM, Shant Kassardjian <shant at skylab.ca> wrote:
> Hello,
>
>
> I am currently testing suricata rule creation and have created the following
> test rule, it does alert in fast.log however does not block the download.
> Any idea why? or what additional step or new feature can be used in suricata
> to block this?
>
>
> reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "P2P torrent metafile
> Download"; content:"d8\:announce"; flow:established; classtype:polic
> y-violation; sid:1000012; rev:1;)
>
>
>
>
> much appreciated,
> Thank you!
> Shant K
>
> _______________________________________________
> Oisf-wg-ruleslanguage mailing list
> Oisf-wg-ruleslanguage at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
>
>
More information about the Oisf-wg-ruleslanguage
mailing list