Snort mailing list archives
Re: Logging: alert vs drop with PulledPork using VRT & ET rules
From: JJ Cummings <cummingsj () gmail com>
Date: Tue, 4 Oct 2011 12:01:00 -0600
You should still see an alert, unless U have suppressed or put a noalert in the rule... Sent from the iRoad On Oct 4, 2011, at 9:56, NA <dustypath () comcast net> wrote:
Hi all, I use both VRT and ET-no gpl rule sets and update via PulledPork. Snort 2.9.10 is running in afpacket mode and inline. Per the conf file for PulledPork and what I assume is the incompatible option (with ET) to set a policy of balanced or security, I use no policy. I see in a few rules that with a policy set the rule will both alert and drop. When I use dropsid.conf to change a rule from alert to drop, I get no more alerts, and therefore do not see the traffic. Am I correct in thinking there is no way to get alerts on dropped sids with this configuration? (Other than using iptables via NFQ daq to log them elsewhere). Should I just stop using the ET rules and set a policy? thanks, Bill B ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logging: alert vs drop with PulledPork using VRT & ET rules NA (Oct 04)
- Re: Logging: alert vs drop with PulledPork using VRT & ET rules JJ Cummings (Oct 04)