[Oisf-users] Suricata Active Response (Brad Johnson)
CEPLEANU, ADRIAN
ac1471 at att.com
Fri Apr 12 13:49:04 UTC 2019
I asked the same question about two months ago, no answers.
I ended up creating a patch to replace the TCP reset response with a page.
It’s kind of quick and dirty so I haven’t offered it back to the community, I was planning on cleaning it up etc and then do it.
Adrian
> On Apr 12, 2019, at 5:00 AM, "oisf-users-request at lists.openinfosecfoundation.org" <oisf-users-request at lists.openinfosecfoundation.org> wrote:
>
> Send Oisf-users mailing list submissions to
> oisf-users at lists.openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=T7sIKN0aM9tA9QBGEUNKnoNSMTl9rmfiLSi16hllWHc&e=
> or, via email, send a message with subject or body 'help' to
> oisf-users-request at lists.openinfosecfoundation.org
>
> You can reach the person managing the list at
> oisf-users-owner at lists.openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-users digest..."
>
>
> Today's Topics:
>
> 1. Suricata Active Response (Brad Johnson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Apr 2019 09:24:44 -0500
> From: Brad Johnson <bjohnson at ecessa.com>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: [Oisf-users] Suricata Active Response
> Message-ID:
> <CAHU2r0mN6-rnM47kn4zjRB2AzkT7y9Zp6jAoU3mjCJE62sSh-A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I am interested in an active response back to a web client when it accesses
> a blocked site, such as redirecting to a web page telling them the site is
> prohibited. Snort has this functionality with their 'react' keyword. The
> Suricata documentation says active responses are handled automatically when
> using the reject keyword. But that seems to only cause the TCP connection
> to be reset. Is there a way to do this in Suricata? I am currently using
> version 4.0.4.
> Thanks in advance.
>
> --
>
>
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company_ecessa-2Dcorporation&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=IQTm-g6zB96k7ZnH3Q-PmOL0C5NXmjoYuY920ufs_qU&e=>
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_ecessa&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=DH-uDAfMPWtVzVgim8DYp95Qxorl4iAUXgbY_lig5QE&e=> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_Ecessa&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=fN6O_MmsiIt2zF7HckcgAUQBwAem1JWzjDgOwdueU9A&e=>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openinfosecfoundation.org_pipermail_oisf-2Dusers_attachments_20190411_ce93a1f7_attachment-2D0001.html&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=JLs_mpa_BTM95faoCHgNyDPrAKPmF1vRFI3FOEu4nak&e=>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at lists.openinfosecfoundation.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=T7sIKN0aM9tA9QBGEUNKnoNSMTl9rmfiLSi16hllWHc&e=
>
>
> ------------------------------
>
> End of Oisf-users Digest, Vol 113, Issue 11
> *******************************************
More information about the Oisf-users
mailing list