Snort mailing list archives

RE: a drop rule instead of log or alert

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 15 Oct 2001 08:26:24 -0700 (PDT)

On Mon, 15 Oct 2001, Mike Walter wrote:

      Yes you can do a pass rule and then start up snort with a -o option
so the pass rules will process first.


Yes, this will work.  The only thing is it's not quite what I think Patrick
was asking for.

From Patrick Berthon <Patrick.Berthon () unice fr>:

     Is it possible to drop a packet when a rule is matched ?
     (like HogWash)


Since you mention Hogwash, I'm assuming that you want to discard the backet.
Send it to the bit bucket, /dev/null, whatever.  AFAIK, you can't discard the
packet with a snort rule.  You can pass, alert, log, and flexresp from rules.
The closest thing that I can think of would be to use flexresp to send a RST
or FIN in reply to the offending packet.

If this isn't what your're looking for, correct me!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: a drop rule instead of log or alert Mike Walter (Oct 15)
- RE: a drop rule instead of log or alert Erek Adams (Oct 15)