[Snort-users] Snort sdrop

Joel Esler jesler at ...1935...
Mon Apr 22 09:31:50 EDT 2013


On Apr 22, 2013, at 9:00 AM, Joao Daniel Neves <joaodanielnevesss at ...125...> wrote:

> The IP Z.X.C.V is triggering a lot of alarms on my IDS (more than 1 million). I have wrote a very simple Snort rule to drop packages from this source. For some reason it is not working. Did I did something wrong ?
> 
> sdrop udp Z.X.C.V any -> any any
> sdrop tcp Z.X.C.V any -> any any
> sdrop icmp Z.X.C.V any -> any any
> 
> Of course, I have restarted Snort

Are you sure that's what you want to do?  Are you sure you don't want a suppression?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130422/016dbe9c/attachment.html>


More information about the Snort-users mailing list