[Snort-users] Identify trigger of a drop rule

waldo kitty wkitty42 at ...14940...
Mon Apr 15 14:01:30 EDT 2013

On 4/15/2013 06:56, Yossi Nachum wrote:
> Hi,
> I am using snort version 2.9.4 in inline mode using NFQ. I configure barnyard2
> to send all alerts to my graylog2 server.
> I want to create a stream in graylog2 that will display all the drop alerts, is
> it possible?
> I created a dummy rule that drop all traffic to port 443. The rule works fine
> but the alert I get in syslog is the same alert as regular snort alert. is there
> any way to distinguish the drop alerts?

the messages you see are the MSG component of the rule... if you want to 
distinguish DROP rules from ALERT rules, you will need to modify their MSG 
component and you will have to do this every time the rules are updated...

More information about the Snort-users mailing list