react is a rule option keyword that enables sending an HTML page on a session and then resetting it. This is built with:
./configure --enable-react / -DENABLE_REACT
The page to be sent can be read from a file:
config react: <block.html>
or else the default is used:
<default_page> ::= \
"HTTP/1.1 403 Forbidden\r\n"
"Connection: close\r\n"
"Content-Type: text/html; charset=utf-8\r\n"
"\r\n"
"<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \
" \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" \
"<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\">\r\n" \
"<head>\r\n" \
"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n" \
"<title>Access Denied</title>\r\n" \
"</head>\r\n" \
"<body>\r\n" \
"<h1>Access Denied</h1>\r\n" \
"<p>%s</p>\r\n" \
"</body>\r\n" \
"</html>\r\n";
Note that the file must contain the entire response, including any HTTP headers. In fact, the response isn't strictly limited to HTTP. You could craft a binary payload of arbitrary content.
When the rule is configured, the page is loaded and the selected message, which defaults to:
<default_msg> ::= \
"You are attempting to access a forbidden site.<br />" \
"Consult your system administrator for details.";
Additional formatting operators beyond a single within a reference URL.
This is an example rule:
drop tcp any any -> any $HTTP_PORTS ( \
content: "d"; msg:"Unauthorized Access Prohibited!"; \
react: <react_opts>; sid:4;)
<react_opts> ::= [msg] [, <dep_opts>]
These options are deprecated:
<dep_opts> ::= [block|warn], [proxy <port#>]
The original version sent the web page to one end of the session only if the other end of the session was port 80 or the optional proxy port. The new version always sends the page to the client. If no page should be sent, a resp option can be used instead. The deprecated options are ignored.