Assalamualaikum
sory lupa lak nak update ..utk soalan abglang.
utk streaming video/audio jika gn hlbr
http://hlbr.sourceforge.net/
utk mime content-type response signature ialah
application/x-shockwave-flash
video/x-ms-asf
application/vnd.ms.wms-hdr.asfv
application/x-mms-framed
audio/x-pn-realaudio
application/x-shockwave-flash
video/x-ms-asf
application/vnd.ms.wms-hdr.asfv1
application/x-mms-framed
audio/x-pn-realaudio
(rule bole blok flash tetapi akan menyebabkan false positive bg web
site mkn tak perlu)
<rule>
ip src(www)
tcp src(80)
tcp nocase(-flash)
message= drop streaming video flash
action=action1
</rule>
<rule>
ip src(www)
tcp src(80)
tcp nocase(application/vnd)
message= drop streaming video 1
action=action1
</rule>
OR
<rule>
ip src(www)
tcp src(80)
tcp nocase(application/x-)
message= drop streaming video 2
<rule>
ip src(lan)
udp dst(1-52, 54-66, 69-65535)
message=drop range of udp dst port 1-52,54-66,69-65535
action=action1
</rule>
<rule>
ip src(lan)
tcp dst(1-79, 81-442, 444-65535)
message=drop range of tcp dst port 1-79,81-442,444-65535
action=action1
</rule>
###########################################################################################################################################
#cat porn rule
<rule>
ip dst(www)
tcp dst(80)
http regex(adultsight|adultsite|adultsonly|adultweb|blowjob|bondage|
centerfold|cumshot|cyberlust|cybercore|hardcore|masturbat|obscene|
pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|
striptease)
message=block porn rule1 website-http
action=action1
</rule>
<rule>
ip dst(www)
udp dst(53)
udp regex(adultsight|adultsite|adultsonly|adultweb|blowjob|bondage|
centerfold|cumshot|cyberlust|cybercore|hardcore|masturbat|obscene|
pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|
striptease)
message=block porn rule 2 website-dns
action=action1
</rule>
</rule>
ip dst(www)
tcp dst(80)
http regex(big|cyber|hard|huge|mega|small|soft|super|tiny|adult|babe|
boob|breast|busen|busty|clit|cum|fetish|hooter|lez|lust|naked|nude|
porn|porno|pupper|pussy|sex|smutpump|teen|tit|topp?les|xxx)
message=block porn rule 3 website-http
action=action1
</rule>
<rule>
ip dst(www)
udp dst(53)
udp regex(big|cyber|hard|huge|mega|small|soft|super|tiny|adult|babe|
boob|breast|busen|busty|clit|cum|fetish|hooter|lez|lust|naked|nude|
porn|porno|pupper|pussy|sex|smutpump|teen|tit|topp?les|xxx)
message=block porn rule 4 website-dns
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http regex(/xxx)
message=block porn rule 5 website-http
action=action1
</rule>
###############################################################################################################
#cat http.rules
<rule>
ip dst(www)
tcp dst(80)
tcp content(vtunnel)
message= block vtunnel 1
action=action1
</rule>
###block website
<rule>
ip dst(www)
tcp dst(80)
http regex(vtunnel)
message= block vtunnel tcp 2
action=action1
</rule>
###block website-ni contoh
<rule>
ip dst(www)
tcp dst(80)
http nocase(vtunnel)
message= block vtunnel
action=action1
</rule>
###block website
<rule>
ip dst(www)
tcp dst(80)
<rule>
ip dst(www)
tcp dst(80)
http regex(youtube|
yahoo.com)
message= block youtube &
yahoo.com
action=action1
</rule>
#################################################################################################################################
#cat download.rule
###block website with filedownload with extension
<rule>
ip dst(www)
tcp dst(80)
http nocase(.exe)
message= block .exe
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.gz)
message= block .gz
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.exe)
message= block .exe
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.zip)
message= block .zip
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.bin)
message= block .bin
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.gz)
message= block .gz
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.bz2)
message= block .bz2
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.iso)
message= block .iso
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.mp3)
message= block .mp3
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.mpeg)
message= block .mpeg
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.mpg)
message= block .mpg
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
http nocase(.ogg)
message= block .ogg
action=action1
</rule>
###################keseluruhan hlbr.config
############################################################
# AlertHeader
#
# Sets the format used in the log file. Possible values are:
# %sip (source ip), %dip (ip destination), %sp (source port),
# %dp (destination port), %d (day), %m (month), %y (year), %h
(hour),
# %min (minute), %s (seconds), %usec (microseconds), %pn
(sequential
# packet number), %ac (alert number - starts with 1 every time
suricata is
# restarted).
<system>
Name=HLBR_1
ID=1
Threads=1
AlertHeader=%ac %m/%d/%y %h:%min:%s %sip:%sp->%dip:%dp
PidFile=/var/run/hlbr.pid
</system>
#############################################################################
#############################################################################
<interface eth2>
Type=linux_raw
Proto=Ethernet
</interface>
<interface eth3>
Type=linux_raw
Proto=Ethernet
</interface>
#############################################################################
# IP Lists Section define first--very important
#############################################################################
<IPList www>
0.0.0.0/0
</list>
<IPList dnsblacklist>
0.0.0.0/0
</list>
<IPList dns>
202.188.0.133
202.188.1.5
</list>
<IPList ultrasurf>
65.49.14.0/24
</list>
<IPList lan>
192.168.1.0/24
</list>
<IPList servers>
www
dns
dnsblacklist
ultrasurf
lan
</list>
############################################################################
# Actions
#############################################################################
<action action1>
response=alert file(/var/log/hlbr/hlbr.log)
response=dump packet(/var/log/hlbr/hlbr.dump)
response=drop
</action>
<action action2>
response=alert file(/var/log/hlbr/hlbr2.log)
response=dump packet(/var/log/hlbr/hlbr2.dump)
</action>
############################################################################
# Routing Section
############################################################################
<routing>
SBridge(eth2, eth3)
</routing>
<decoder http>
OPTIONS,GET,HEAD,POST,CONNECT,PUT,DELETE,SEARCH,DELETE,TRACE,COPY,MOVE,PROPFIND,PROPPATCH,UNLOCK,LOCK,MKCOL,NOTIFY,POLL
</decoder>
####################################################################################>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On Feb 11, 1:55 am, "Edham Arief Dawillah" <
edt...@gmail.com> wrote:
> Arora anne.
>
> Possible kalau masukkan artikel ni ke dalam
sabahopensource.org? Credits
> to you
>
>
>
>
>
>
>
>
>
> On Mon, 06 Feb 2012 16:01:27 +0800, abglang <
abgl...@gmail.com> wrote:
> > Rule utk block streaming audio video cmana?
> >> Boleh guna hlbrhttp://
hlbr.sourceforge.net/
> >> 2012/2/2 abglang <
abgl...@gmail.com>
>
> >>> Salam..
> >>> uiks.. sudah delete kah ni artikel.. alalaa
>
> >>> 2010/7/15
packetfence...@gmail.com <
packetfence...@gmail.com>