[Snort-users] Segregating drop alerts

Glenn Forbes Fleming Larratt gl89 at ...1712...
Tue May 26 09:41:17 EDT 2015


Dear Anshuman,

The second rule is what I thought you meant by "drop" rule. As far as I 
know, that second rule will *not* make an entry in you alerting or in your 
logfiles; it will be as if the packet had never been seen by Snort.

Do you actually have both rules configured into Snort? I don't know what 
the behavior would be in that case.

Best, -g
-- 
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

> Sorry missed to give an example of rule set to drop.
>
> Here is an example-
>
> This is a default alert rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
>
> Same rule is configured as drop rule using pulledpork dropsid.conf which makes the alert rule to drop rule
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
>
> Regards,
> Anshuman
>




More information about the Snort-users mailing list