Snort mailing list archives
Re: Identify trigger of a drop rule
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 15 Apr 2013 14:01:30 -0400
On 4/15/2013 06:56, Yossi Nachum wrote:
Hi, I am using snort version 2.9.4 in inline mode using NFQ. I configure barnyard2 to send all alerts to my graylog2 server. I want to create a stream in graylog2 that will display all the drop alerts, is it possible? I created a dummy rule that drop all traffic to port 443. The rule works fine but the alert I get in syslog is the same alert as regular snort alert. is there any way to distinguish the drop alerts?
the messages you see are the MSG component of the rule... if you want to distinguish DROP rules from ALERT rules, you will need to modify their MSG component and you will have to do this every time the rules are updated... ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Identify trigger of a drop rule Yossi Nachum (Apr 15)
- Re: Identify trigger of a drop rule waldo kitty (Apr 15)