[Oisf-wg-ruleslanguage] FW: Block metafile content
Shant Kassardjian
shant at skylab.ca
Fri Aug 6 00:55:45 UTC 2010
I'd like to point out this same exact rule works in snort.
The content blocking for metadat seems to slipping through the stream inspection process.
I do have other rules with drop and reject which are working however this particular one as mentioned works in snort but not with suricata.
hope this helps,
Shant K
> Date: Thu, 5 Aug 2010 15:23:32 +0200
> From: rmkml at free.fr
> To: shant at skylab.ca
> CC: rmkml at free.fr
> Subject: Re: [Oisf-wg-ruleslanguage] Block metafile content
>
> Hi Shant,
> Please search in google like oisf-users and drop and iptables keywords please.
> Depending on your os+conf...
> Regards
> Rmkml
>
>
> On Thu, 5 Aug 2010, Shant Kassardjian wrote:
>
> > Hello,
> >
> >
> > I am currently testing suricata rule creation and have created the following test rule, it does alert in fast.log however does not block the download. Any idea
> > why? or what additional step or new feature can be used in suricata to block this?
> >
> >
> > reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "P2P torrent metafile Download"; content:"d8\:announce"; flow:established; classtype:polic
> > y-violation; sid:1000012; rev:1;)
> >
> >
> >
> >
> > much appreciated,
> > Thank you!
> > Shant K
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-wg-ruleslanguage/attachments/20100806/361e09da/attachment-0002.html>
More information about the Oisf-wg-ruleslanguage
mailing list