Rule Actions

[Rob Ward <rob.ward () liverpool ac uk>]

Hi,  I'm running Snort with 'flexresp' to help control the amount of peer 
to peer traffic on our halls network. I've used the standard P2P.rules file 
with react:block; i.e:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client 
request"; flow:to_server,established; content:"GNUTELLA"; depth:8; 
classtype:policy-violation; sid:1432; rev:6; react:block;)

This has been successful to a point but the huge number of alerts generated 
are a problem. We're aware of the amount of p2p use on our network so I'd 
like to stop the alerts being generated but still use react:block; to send 
TCP resets.

Yesterday I changed the P2P.rules to be type 'log' instead of 'alert':

log tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client 
request"; flow:to_server,established; content:"GNUTELLA"; depth:8; 
classtype:policy-violation; sid:1432; rev:6; react:block;)

I thought that this meant no entries would be generated in the alert file 
but they're still being output?

Regards

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users