Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Identify trigger of a drop rule

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 15 Apr 2013 14:01:30 -0400
On 4/15/2013 06:56, Yossi Nachum wrote:

Hi,
I am using snort version 2.9.4 in inline mode using NFQ. I configure barnyard2
to send all alerts to my graylog2 server.

I want to create a stream in graylog2 that will display all the drop alerts, is
it possible?

I created a dummy rule that drop all traffic to port 443. The rule works fine
but the alert I get in syslog is the same alert as regular snort alert. is there
any way to distinguish the drop alerts?


the messages you see are the MSG component of the rule... if you want to 
distinguish DROP rules from ALERT rules, you will need to modify their MSG 
component and you will have to do this every time the rules are updated...


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: