[Snort-users] Segregating drop alerts

Anshuman Anil Deshmukh anshuman at ...16510...
Tue May 26 10:01:56 EDT 2015


Yes. The second rule which I mentioned  is the drop. It will not log only in case if I set it as sdrop which is silently drop where it doesn't log it. But as said earlier we aren't using sdrop. Hence the alert as well as drop are getting logged in the log file.

If I set the output to console it shows the drop requests and they are blocked by the Snort successfully, this is what I want it to do and its happening properly.

When I say I want to differentiate, I am fine showing it in any way. Say by showing it in different section or by getting it highlighted in a different colour or by changing its style or whichever other ways it can. Just wanted to understand how it can be done.

Hope this is clear enough what I need to achieve.

Regards,
Anshuman

On 26/05/2015 7:14 pm, Glenn Forbes Fleming Larratt <gl89 at ...1712...> wrote:
Dear Anshuman,

The second rule is what I thought you meant by "drop" rule. As far as I
know, that second rule will *not* make an entry in you alerting or in your
logfiles; it will be as if the packet had never been seen by Snort.

Do you actually have both rules configured into Snort? I don't know what
the behavior would be in that case.

Best, -g
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

> Sorry missed to give an example of rule set to drop.
>
> Here is an example-
>
> This is a default alert rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
>
> Same rule is configured as drop rule using pulledpork dropsid.conf which makes the alert rule to drop rule
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
>
> Regards,
> Anshuman
>

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150526/aef2f690/attachment.html>


More information about the Snort-users mailing list