[Snort-users] Re: [Snort-sigs] To drop packets

JP Vossen vossenjp at ...8683...
Mon Dec 8 22:02:01 EST 2003


> Date: Mon, 08 Dec 2003 13:34:25 -0500
> To: "Anna Patil" <anna.patil at ...10702...>, <Snort-sigs at lists.sourceforge.net>
> From: Matt Kettler <mkettler at ...4108...>
> Subject: Re: [Snort-sigs] To drop packets
>
> At 01:03 PM 12/8/2003, Anna Patil wrote:
> >
> >Is there any option to drop perticular packet (like alert is for logging).
>
> 1) this belongs on snort-users, not snort-sigs.

Matt is correct and I've moved my reply there.


> 2) by itself, snort is a passive sniffer that operates in parallel with the
> local TCP/IP stack. Thus, if snort "drops" a packet, nothing happens to the
> copy in the TCP/IP stack.

<snip lots of good stuff about NIDS being passive, and flexresp.>

I think the original poster *may* have been asking about pass rules.  See the
User Manual [0] and the FAQ [1] #4.8, and always read these (and this [2])
before posting.

Later,
JP

[0] http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.1
[1] http://www.snort.org/docs/FAQ.txt
[2] http://www.theadamsfamily.net/~erek/snort/drinking_game.txt
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list