[Snort-users] Rule Actions

Rob Ward rob.ward at ...11329...
Tue Feb 15 02:33:11 EST 2005


Hi,  I'm running Snort with 'flexresp' to help control the amount of peer 
to peer traffic on our halls network. I've used the standard P2P.rules file 
with react:block; i.e:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client 
request"; flow:to_server,established; content:"GNUTELLA"; depth:8; 
classtype:policy-violation; sid:1432; rev:6; react:block;)

This has been successful to a point but the huge number of alerts generated 
are a problem. We're aware of the amount of p2p use on our network so I'd 
like to stop the alerts being generated but still use react:block; to send 
TCP resets.

Yesterday I changed the P2P.rules to be type 'log' instead of 'alert':

log tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client 
request"; flow:to_server,established; content:"GNUTELLA"; depth:8; 
classtype:policy-violation; sid:1432; rev:6; react:block;)

I thought that this meant no entries would be generated in the alert file 
but they're still being output?

Regards

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department




More information about the Snort-users mailing list