[Snort-users] Segregating drop alerts
Anshuman Anil Deshmukh
anshuman at ...16510...
Tue May 26 03:51:03 EDT 2015
Sorry missed to give an example of rule set to drop.
Here is an example-
This is a default alert rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
Same rule is configured as drop rule using pulledpork dropsid.conf which makes the alert rule to drop rule
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
From: Anshuman Anil Deshmukh
Sent: Tuesday, May 26, 2015 11:38 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Segregating drop alerts
Snort running as IDS would have rules just to alert whereas Snort as IPS would have a combination of rules with alert and drop. For rules that need to be dropped; the rule statement with "alert" needs to be changed to "drop" or "sdrop". Currently we aren't using sdrop.
1. I have some rules set to drop configured using pulledpork (dropsid.conf).
2. Now assume that I have around 10 rules configured as drop.My manager and my team is accessing the Snorby console and sees bunch of alerts in it. Currently console shows all alerts in combine. From the alerts is there a way by which they would be able to understand which rules are set to drop and which are set just to alert? I do not wish them or me to always refer the pulledpork dropsid file to know which rules are set to drop or keep a record of it in a different sheet. I know Snorby has an option where we can individually select view rule option to check if it is set to drop or alert. But this option isn't useful to me as it doesn't meet my objective.
The prime objective of this is - Just from accessing the console we should be able to differentiate which rules are set as drop and which aren't.
From: Glenn Forbes Fleming Larratt [mailto:gl89 at ...1712...]
Sent: Saturday, May 23, 2015 12:27 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Segregating drop alerts
Can you post an example of a "rule...set to drop"? I think we're probaby miscommunicating here.
} I mean to say the alerts for the rules that have been set to drop. We } have not set it as silent.
} So only some rules have been set to drop. The console should be able to } show if it is a alert for drop or just an } alert. This way we can decide what other rules we can configure for } drop.
} Hope this is preety clear.
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
More information about the Snort-users