Hadn't considered "turning Snort around". There used to be a snort.lrp around, so if you can get the filtering to work it would be cool. Since the each packet is only part of the http request, dropping the packets with "bad words" may create corrupted web pages. It may look funny on the browser, but would effectly stop the user from see the pages with bad content or at least skewing the pages pretty badly.
You're just braver than I, venturing out on your own this way ;) - Todd > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > John Mullan > Sent: Thursday, April 11, 2002 7:44 PM > To: [EMAIL PROTECTED] > Subject: RE: [Leaf-user] Junk Busting??? > > > Todd: > > I realize that Snort is more for monitoring (NIDS in particular). > However the current documentation indicates that it can scan > for content > and, if desired, drop the packets. > > It also says it can do this in either direction. > > So, if one were to "think outside the box", instead of > blocking outbound > requests (like a nanny filter), I could watch for undesirable content > coming in and drop it. I could also replace the packet with content > issuing a warning. > > While unconventional, it may meet my desired criteria of > fitting into my > LEAF router and eliminate the need for an extra box. > > Keep in mind, this is just from reading the user manual. I > have yet to > actually try this....... > > John > > -----Original Message----- > From: Todd Pearsall [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 11, 2002 9:25 AM > To: 'John Mullan'; [EMAIL PROTECTED] > Subject: RE: [Leaf-user] Junk Busting??? > > > In my past use of Snort it was for intrusion detection. It "watches" > all the incoming traffic for patterns that may be hack attempts. I'm > not aware of it being useful for controlling where internal users go. > In fact I think it only logs suspicious activity and doesn't actually > stop traffic from coming in (like portsentry does for port scanning) > > - Todd > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > John Mullan > > Sent: Wednesday, April 10, 2002 6:38 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [Leaf-user] Junk Busting??? > > > > > > Thanks all for input received so far. > > > > I'm not so picky on the "thin-ness" of my LEAF router box. I > > still have > > some space left on my 80meg flash disk. At home it is becoming my > > catch-all router/firewall so adding a certain amount of extra > > abilities > > flies for me on this one. > > > > However, I have looked around the net and noticed that > SNORT may be up > > to the task (although not necessarily it's conventional use). > > > > Is there anyone that has put SNORT to use on LEAF as a "nanny > > filter"??????? > > > > John > > > > -----Original Message----- > > From: Todd Pearsall [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, April 10, 2002 9:33 AM > > To: 'John Mullan'; [EMAIL PROTECTED] > > Subject: RE: [Leaf-user] Junk Busting??? > > > > > > I use squid and squidguard on a separate machine. > Squidguard is nice > > because it updates nightly with a new "bad" list. I'm > pretty sure you > > can run squid on your Dachstein box, but you'll need a HD > to store the > > cached pages and logs and probably more memory (32MB-64MB?). > > With squid > > in place you can probably add squidguard. There are also > > rules you can > > add so the web proxy is transparent, meaning the users PC > > just uses the > > Dachstein box as the gateway and the rules pump anything > destined for > > port 80 thru squid. > > > > I put this in the category of "can be done" if your pretty > > familiar with > > Dachstein, Linux and firewalls, but I doubt you'll find a drop in > > package. > > > > If you can scrape up another PC then this should be a piece of cake > > since squid is a standard package in RedHat and all you'd > > need to do it > > is to add squidguard (pretty easy). If you get it to work on > > Dachstein > > please write it up. I would like to have squid and > squidguard running > > on the firewall, but I love having no HD in the firewall, so I'm > > sticking with my current solution. > > > > I run e-smith as a server and Dachstein as firewall. If you used > > e-smith as both you just add squidguard and be done. > > Personally I like > > the firewall as skinny as possible and separate from the server. > > > > Enough rambling, good luck. > > > > - Todd > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > John Mullan > > > Sent: Tuesday, April 09, 2002 10:11 PM > > > To: [EMAIL PROTECTED] > > > Subject: [Leaf-user] Junk Busting??? > > > > > > > > > I am now in need of blocking certain web content from my > 8-year-old > > > grandson. > > > > > > Since my only gateway to the internet is through the > > > Dachstein box, I am > > > wondering what (if anything) can be run on the box to block > > > various web > > > content. > > > > > > So is there anything?? I'm kinda hoping NOT to add in another > > > computer....... > > > > > > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > > > John Mullan http://mullan.dns2go.com/ > > > > > > Personal: mailto:[EMAIL PROTECTED] > > > Business: mailto:[EMAIL PROTECTED] > > > > > > > > > > > > _______________________________________________ > > > Leaf-user mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > > > > > > > _______________________________________________ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
