Re: Segregating drop alerts

[Anshuman Anil Deshmukh <anshuman () cybage com>]

Sorry missed to give an example of rule set to drop.

Here is an example-

This is a default alert rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; 
flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 
30; classtype:network-scan; sid:2019876; rev:2;)

Same rule is configured as drop rule using pulledpork dropsid.conf which makes the alert rule to drop rule

drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; 
flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 
30; classtype:network-scan; sid:2019876; rev:2;)

Regards,
Anshuman


-----Original Message-----
From: Anshuman Anil Deshmukh
Sent: Tuesday, May 26, 2015 11:38 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Segregating drop alerts

Hi,

Snort running as IDS would have rules just to alert whereas Snort as IPS would have a combination of rules with alert 
and drop. For rules that need to be dropped; the rule statement with "alert" needs to be changed to "drop" or "sdrop". 
Currently we aren't using sdrop.

1. I have some rules set to drop configured using pulledpork (dropsid.conf).

2. Now assume that I have around 10 rules configured as drop.My manager and my team is accessing the Snorby console and 
sees bunch of alerts in it. Currently console shows all alerts in combine. From the alerts is there a way by which they 
would be able to understand which rules are set to drop and which are set just to alert? I do not wish them or me to 
always refer the pulledpork dropsid file to know which rules are set to drop or keep a record of it in a different 
sheet. I know Snorby has an option where we can individually select view rule option to check if it is set to drop or 
alert. But this option isn't useful to me as it doesn't meet my objective.

The prime objective of this is - Just from accessing the console we should be able to differentiate which rules are set 
as drop and which aren't.


Regards,
Anshuman


-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:gl89 () cornell edu]
Sent: Saturday, May 23, 2015 12:27 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Segregating drop alerts

Dear Anshuman,

Can you post an example of a "rule...set to drop"? I think we're probaby miscommunicating here.

        -g

} I mean to say the alerts for the rules that have been set to drop. We } have not set it as silent.
}
} So only some rules have been set to drop. The console should be able to } show if it is a alert for drop or just an } 
alert. This way we can decide what other rules we can configure for } drop.
}
} Hope this is preety clear.
}
} Regards,
} Anshuman
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 
50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with 
transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!