[Snort-users] Identify trigger of a drop rule

Yossi Nachum nachum234 at ...11827...
Mon Apr 15 06:56:05 EDT 2013


Hi,
I am using snort version 2.9.4 in inline mode using NFQ. I configure
barnyard2 to send all alerts to my graylog2 server.

I want to create a stream in graylog2 that will display all the drop
alerts, is it possible?

I created a dummy rule that drop all traffic to port 443. The rule works
fine but the alert I get in syslog is the same alert as regular snort
alert. is there any way to distinguish the drop alerts?


Thanks,
Yossi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130415/027d81df/attachment.html>


More information about the Snort-users mailing list