[Snort-devel] FWD: alert vs drop

Андрей Пегов frofis at rambler.ru
Mon Apr 16 09:34:56 EDT 2018


-------- Пересылаемое сообщение --------
От: Андрей Пегов <frofis at rambler.ru>
Дата: 16.04.2018, 11:35
Кому: <snort-users at lists.snort.org>
Тема: alert vs drop
Hi

snort 2.9.9.0

snort.conf:

ruletype test
{
type drop
output alert_unified2: filename snort-unified.alert, limit 1
output log_null
}
rule:

test tcp any any -> any any (file_data; msg:"secret"; content:"topsecret";
nocase; sid:10000010;)
u2spewfoo:

(Event)
sensor id: 0 event id: 1 event second: 1523876791 event microsecond: 132288
sig id: 10000010 gen id: 1 revision: 0 classification: 0
priority: 0 ip source: 192.168.0.2 ip destination: 192.168.1.2
src port: 80 dest port: 56700 protocol: 6 impact_flag: 32 blocked: 1
snort.conf:
ruletype test
{
type alert
output alert_unified2: filename snort-unified.alert, limit 1
output log_null
}
u2spewfoo:
(ExtraDataHdr)
event type: 4 event length: 33(ExtraData)
sensor id: 0 event id: 1 event second: 1523876957
type: 9 datatype: 1 bloblength: 9 HTTP URI: /(ExtraDataHdr)
event type: 4 event length: 43(ExtraData)
sensor id: 0 event id: 1 event second: 1523876957
type: 10 datatype: 1 bloblength: 19 HTTP Hostname: 192.168.0.2

snort does not write an alarm event to unified2 ?

Andrey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180416/de8e4ee2/attachment.html>


More information about the Snort-devel mailing list