[Oisf-users] http url block or inject in sniffer mode for suricata (tap mode or mirror mode, no inline)

Ayhan ARDA ayhanardaistanbul at gmail.com
Wed Nov 6 20:33:05 UTC 2019


Hi,

I have one question about suricata. I'm going crazy. I have to explain this
situation to the best CEO of the company :)

*Is it possible - http url - block or reset or reject in sniff mode? *

(like snort's react rule) *no inline traffic *(mirror mode or tap mode or
span port mode)

for example : client access http://*xxx*.com or any.url/*yyy* and suricata
sniff traffic with switch port mirror and send tcp reset or redirect client
with http injection?(no inline traffic)

(while in this mode, tcp rules are working, i can send tc rst flag, but
http is not., for example i can reset for not default port rdp connection,
it's good working)

Regards

-- 
Ayhan

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
VirĂ¼s
bulunmuyor. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191106/2dfc4957/attachment.html>


More information about the Oisf-users mailing list