Snort mailing list archives
Re: Segregating drop alerts
From: Glenn Forbes Fleming Larratt <gl89 () cornell edu>
Date: Tue, 26 May 2015 09:41:17 -0400 (EDT)
Dear Anshuman, The second rule is what I thought you meant by "drop" rule. As far as I know, that second rule will *not* make an entry in you alerting or in your logfiles; it will be as if the packet had never been seen by Snort. Do you actually have both rules configured into Snort? I don't know what the behavior would be in that case. Best, -g -- Glenn Forbes Fleming Larratt Cornell University IT Security Office
Sorry missed to give an example of rule set to drop. Here is an example- This is a default alert rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;) Same rule is configured as drop rule using pulledpork dropsid.conf which makes the alert rule to drop rule drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;) Regards, Anshuman
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Segregating drop alerts Anshuman Anil Deshmukh (May 15)
- Re: Segregating drop alerts Anshuman Anil Deshmukh (May 22)
- <Possible follow-ups>
- Re: Segregating drop alerts Glenn Forbes Fleming Larratt (May 22)
- Re: Segregating drop alerts Anshuman Anil Deshmukh (May 22)
- Re: Segregating drop alerts Glenn Forbes Fleming Larratt (May 22)
- Re: Segregating drop alerts Anshuman Anil Deshmukh (May 25)
- Re: Segregating drop alerts Anshuman Anil Deshmukh (May 26)
- Re: Segregating drop alerts Rodgers, Anthony (DTMB) (May 26)
- Re: Segregating drop alerts Glenn Forbes Fleming Larratt (May 26)
- Re: Segregating drop alerts Anshuman Anil Deshmukh (May 26)
- Re: Segregating drop alerts waldo kitty (May 26)
- Re: Segregating drop alerts Anshuman Anil Deshmukh (May 26)
- Re: Segregating drop alerts Joel Esler (jesler) (May 26)
- Re: Segregating drop alerts Joel Esler (jesler) (May 26)
- Re: Segregating drop alerts waldo kitty (May 26)