Snort mailing list archives
Logging: alert vs drop with PulledPork using VRT & ET rules
From: NA <dustypath () comcast net>
Date: Tue, 04 Oct 2011 08:56:31 -0700
Hi all, I use both VRT and ET-no gpl rule sets and update via PulledPork. Snort 2.9.10 is running in afpacket mode and inline. Per the conf file for PulledPork and what I assume is the incompatible option (with ET) to set a policy of balanced or security, I use no policy. I see in a few rules that with a policy set the rule will both alert and drop. When I use dropsid.conf to change a rule from alert to drop, I get no more alerts, and therefore do not see the traffic. Am I correct in thinking there is no way to get alerts on dropped sids with this configuration? (Other than using iptables via NFQ daq to log them elsewhere). Should I just stop using the ET rules and set a policy? thanks, Bill B ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logging: alert vs drop with PulledPork using VRT & ET rules NA (Oct 04)
- Re: Logging: alert vs drop with PulledPork using VRT & ET rules JJ Cummings (Oct 04)