[Oisf-users] Suricata Active Response (Brad Johnson)

CEPLEANU, ADRIAN ac1471 at att.com
Fri Apr 12 13:49:04 UTC 2019


I asked the same question about two months ago, no answers.
I ended up creating a patch to replace the TCP reset response with a page.
It’s kind of quick and dirty so I haven’t offered it back to the community, I was planning on cleaning it up etc and then do it.

Adrian

> On Apr 12, 2019, at 5:00 AM, "oisf-users-request at lists.openinfosecfoundation.org" <oisf-users-request at lists.openinfosecfoundation.org> wrote:
> 
> Send Oisf-users mailing list submissions to
>    oisf-users at lists.openinfosecfoundation.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=T7sIKN0aM9tA9QBGEUNKnoNSMTl9rmfiLSi16hllWHc&e=
> or, via email, send a message with subject or body 'help' to
>    oisf-users-request at lists.openinfosecfoundation.org
> 
> You can reach the person managing the list at
>    oisf-users-owner at lists.openinfosecfoundation.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-users digest..."
> 
> 
> Today's Topics:
> 
>   1. Suricata Active Response (Brad Johnson)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 11 Apr 2019 09:24:44 -0500
> From: Brad Johnson <bjohnson at ecessa.com>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: [Oisf-users] Suricata Active Response
> Message-ID:
>    <CAHU2r0mN6-rnM47kn4zjRB2AzkT7y9Zp6jAoU3mjCJE62sSh-A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> I am interested in an active response back to a web client when it accesses
> a blocked site, such as redirecting to a web page telling them the site is
> prohibited. Snort has this functionality with their 'react' keyword. The
> Suricata documentation says active responses are handled automatically when
> using the reject keyword. But that seems to only cause the TCP connection
> to be reset. Is there a way to do this in Suricata? I am currently using
> version 4.0.4.
> Thanks in advance.
> 
> -- 
> 
> 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company_ecessa-2Dcorporation&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=IQTm-g6zB96k7ZnH3Q-PmOL0C5NXmjoYuY920ufs_qU&e=>
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_ecessa&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=DH-uDAfMPWtVzVgim8DYp95Qxorl4iAUXgbY_lig5QE&e=>  <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_Ecessa&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=fN6O_MmsiIt2zF7HckcgAUQBwAem1JWzjDgOwdueU9A&e=>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openinfosecfoundation.org_pipermail_oisf-2Dusers_attachments_20190411_ce93a1f7_attachment-2D0001.html&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=JLs_mpa_BTM95faoCHgNyDPrAKPmF1vRFI3FOEu4nak&e=>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at lists.openinfosecfoundation.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=GDA4lpenebh96d8bI6wGLQ&m=ewhNIT0WEfx5tZkI0v3wq6qPg0PfyMsxNakPO6Ql8NA&s=T7sIKN0aM9tA9QBGEUNKnoNSMTl9rmfiLSi16hllWHc&e=
> 
> 
> ------------------------------
> 
> End of Oisf-users Digest, Vol 113, Issue 11
> *******************************************


More information about the Oisf-users mailing list