[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    Re: [Snort-devel] 'react'
From:       Peteris Krumins <newsgroups () lf ! lv>
Date:       2003-08-26 17:06:15
[Download RAW message or body]

Tuesday, August 26, 2003, 2:02:48 PM, you wrote:


PK>  Hi,

PK>   As i understand the 'react' keyword has not yet been
PK>   done?
PK>   At least i am unable to get it working with a visible
PK>   alert (react: block,msg;).

PK>   If it needs to be done, let me know and i will finish
PK>   it quickly since it is needed badly.
  
After looking at the react code closer i realized it worked but
unfortunately the return message (visible warning)
is only visible if i use lynx, if i use ie or opera browsers
i get the original page displayed.

after dumping the contents of data i saw the http response (visible
warning) included w/ no http headers so i added some, hoping
IE and opera would start working, but it didnt.
I clearly see that the react generated packet arriving earlier than
the packet from the web server.

I added the following headers:
-------
HTTP/1.1 200 OK\r\n
Date: <replaced with date correct format>\r\n
Server: snort ids\r\n
Connection: close\r\n
Content-Type: text/html\r\n
\r\n
-------

Does anyone have a clue how to fool IE or opera to display
the message from react detection plugin?
It seems they overwrite any data received before with new
data associated to the same connection.


P.Krumins



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]