'Re[2]: [Snort-devel] 'react''

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    Re[2]: [Snort-devel] 'react'
From:       Peteris Krumins <newsgroups () lf ! lv>
Date:       2003-08-27 21:03:15
[Download RAW message or body]

Tuesday, August 26, 2003, 8:06:15 PM, you wrote:

PK> Tuesday, August 26, 2003, 2:02:48 PM, you wrote:

PK>>  Hi,

PK>>   As i understand the 'react' keyword has not yet been
PK>>   done?
PK>>   At least i am unable to get it working with a visible
PK>>   alert (react: block,msg;).

PK>>   If it needs to be done, let me know and i will finish
PK>>   it quickly since it is needed badly.
  
PK> After looking at the react code closer i realized it worked but
PK> unfortunately the return message (visible warning)
PK> is only visible if i use lynx, if i use ie or opera browsers
PK> i get the original page displayed.

PK> after dumping the contents of data i saw the http response (visible
PK> warning) included w/ no http headers so i added some, hoping
PK> IE and opera would start working, but it didnt.
PK> I clearly see that the react generated packet arriving earlier than
PK> the packet from the web server.

PK> I added the following headers:
PK> -------
PK> HTTP/1.1 200 OK\r\n
PK> Date: <replaced with date correct format>\r\n
PK> Server: snort ids\r\n
PK> Connection: close\r\n
PK> Content-Type: text/html\r\n
PK> \r\n
PK> -------

PK> Does anyone have a clue how to fool IE or opera to display
PK> the message from react detection plugin?
PK> It seems they overwrite any data received before with new
PK> data associated to the same connection.

After even more researching I found that react works very ok
under Linux.
Any browser would display the data from react (if it
arrives faster than the data from web-server)
not the data that arrives from the real web-server.

And yes, If i block any http data from web-server then
react works even w/ Windows OS browsers.

For example Opera 7.x react works under Linux but not
under Windows.

This is still not ok.

Anyone?

(I will try now react together with resp)


P.Krumins



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic