Snort mailing list archives

Re: alert vs drop

From: Андрей Пегов via Snort-users <snort-users () lists snort org>
Date: Wed, 25 Apr 2018 08:35:13 +0300

HiOne more remark. It appears only on http.
For example, on icmp everything works.
Andrey.



 21.04.2018, 16:04, Y M via Snort-users <snort-users () lists snort org>


 Typically, the ExtraData should come after the event itself. Is the output
 cut somewhere or writes were blocked to the u2 file? I haven't seen this one
 before.
 ThanksYM

 ----------------------------------------------------------------------------

 From: Snort-users <snort-users-bounces () lists snort org> on behalf of Андрей
 Пегов via Snort-users <snort-users () lists snort org>
 Sent: Monday, April 16, 2018 11:35 AM
 To: snort-users () lists snort org
 Subject: [Snort-users] alert vs drop Hi

 snort 2.9.9.0

 snort.conf:

 ruletype test
 {
 type drop
 output alert_unified2: filename snort-unified.alert, limit 1
 output log_null
 }
 rule:

 test tcp any any -> any any (file_data; msg:"secret"; content:"topsecret";
 nocase; sid:10000010;)
 u2spewfoo:

 (Event)
 sensor id: 0 event id: 1 event second: 1523876791 event microsecond: 132288
 sig id: 10000010 gen id: 1 revision: 0 classification: 0
 priority: 0 ip source: 192.168.0.2 ip destination: 192.168.1.2
 src port: 80 dest port: 56700 protocol: 6 impact_flag: 32 blocked: 1
 snort.conf:
 ruletype test
 {
 type alert
 output alert_unified2: filename snort-unified.alert, limit 1
 output log_null
 }
 u2spewfoo:
 (ExtraDataHdr)
 event type: 4 event length: 33(ExtraData)
 sensor id: 0 event id: 1 event second: 1523876957
 type: 9 datatype: 1 bloblength: 9 HTTP URI: /(ExtraDataHdr)
 event type: 4 event length: 43(ExtraData)
 sensor id: 0 event id: 1 event second: 1523876957
 type: 10 datatype: 1 bloblength: 19 HTTP Hostname: 192.168.0.2

 snort does not write an alarm event to   unified2 ?

 Andrey

 _______________________________________________
 Snort-users mailing list
 Snort-users () lists snort org
 Go to this URL to change user options or unsubscribe:
 https://lists.snort.org/mailman/listinfo/snort-users

 Please visit http://blog.snort.org to stay current on all the latest Snort
 news!

 Please follow these rules:
 https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

alert vs drop Андрей Пегов via Snort-users (Apr 18)
- FWD: alert vs drop Андрей Пегов via Snort-devel (Apr 16)
- Re: alert vs drop Y M via Snort-users (Apr 21)
- <Possible follow-ups>
- Re: alert vs drop Андрей Пегов via Snort-users (Apr 25)