[Oisf-wg-ruleslanguage] FW: Block metafile content
Will Metcalf
william.metcalf at gmail.com
Mon Aug 9 14:06:42 UTC 2010
Ok thanks we will look into it. I think there may be a bug here in
the reject code associated with the way we are scanning reassembled
streams.
Regards,
Will
On Thu, Aug 5, 2010 at 7:55 PM, Shant Kassardjian <shant at skylab.ca> wrote:
> I'd like to point out this same exact rule works in snort.
>
>
> The content blocking for metadat seems to slipping through the stream
> inspection process.
>
>
> I do have other rules with drop and reject which are working however this
> particular one as mentioned works in snort but not with suricata.
>
> hope this helps,
> Shant K
>
>
>
>> Date: Thu, 5 Aug 2010 15:23:32 +0200
>> From: rmkml at free.fr
>> To: shant at skylab.ca
>> CC: rmkml at free.fr
>> Subject: Re: [Oisf-wg-ruleslanguage] Block metafile content
>>
>> Hi Shant,
>> Please search in google like oisf-users and drop and iptables keywords
>> please.
>> Depending on your os+conf...
>> Regards
>> Rmkml
>>
>>
>> On Thu, 5 Aug 2010, Shant Kassardjian wrote:
>>
>> > Hello,
>> >
>> >
>> > I am currently testing suricata rule creation and have created the
>> > following test rule, it does alert in fast.log however does not block the
>> > download. Any idea
>> > why? or what additional step or new feature can be used in suricata to
>> > block this?
>> >
>> >
>> > reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "P2P torrent
>> > metafile Download"; content:"d8\:announce"; flow:established;
>> > classtype:polic
>> > y-violation; sid:1000012; rev:1;)
>> >
>> >
>> >
>> >
>> > much appreciated,
>> > Thank you!
>> > Shant K
>> >
>> >
>
> _______________________________________________
> Oisf-wg-ruleslanguage mailing list
> Oisf-wg-ruleslanguage at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
>
>
More information about the Oisf-wg-ruleslanguage
mailing list