![snort logo](/images/snort-logo.png)
Snort mailing list archives
Rule Actions
From: Rob Ward <rob.ward () liverpool ac uk>
Date: Tue, 15 Feb 2005 10:30:48 +0000
Hi, I'm running Snort with 'flexresp' to help control the amount of peer to peer traffic on our halls network. I've used the standard P2P.rules file with react:block; i.e:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6; react:block;)
This has been successful to a point but the huge number of alerts generated are a problem. We're aware of the amount of p2p use on our network so I'd like to stop the alerts being generated but still use react:block; to send TCP resets.
Yesterday I changed the P2P.rules to be type 'log' instead of 'alert':log tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6; react:block;)
I thought that this meant no entries would be generated in the alert file but they're still being output?
Regards Rob Ward Network Northwest Support University of Liverpool Computing Services Department ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule Actions Rob Ward (Feb 15)