Re: Snort 3 Config File Question (3)

[Jim Campbell <jim () w4bqp net>]

Thank you, Victor, Russ and Noah for your prompt replies to my question.

I took my snort3.rules file that I had built using the 2.9.9.0 rules 
file and snort2lua and attempted to change the first alert in each line 
from alert to drop.

This is the command line that I used to do that:

awk '{sub("alert","drop",$0); print;}' snort3.rules > snort3d.rules

Taking a quick peek at the resulting file, it looked to me that the 
beginning "alert" was now "drop".

I restarted Snort and it started writing to a new 'unified2' log. After 
a little while I stopped Snort and took a peek at the syslog file.

Jul 24 15:17:05 jim-IPS snort[21297]: 
--------------------------------------------------
Jul 24 15:17:05 jim-IPS snort[21297]: Packet Statistics
Jul 24 15:17:05 jim-IPS snort[21297]: 
--------------------------------------------------
Jul 24 15:17:05 jim-IPS snort[21297]: daq
Jul 24 15:17:05 jim-IPS snort[21297]:                  received: 268
Jul 24 15:17:05 jim-IPS snort[21297]:                  analyzed: 268
Jul 24 15:17:05 jim-IPS snort[21297]:                     allow: 211
Jul 24 15:17:05 jim-IPS snort[21297]:                     block: 21
Jul 24 15:17:05 jim-IPS snort[21297]:                   replace: 36
Jul 24 15:17:05 jim-IPS snort[21297]: 
--------------------------------------------------

I'm puzzled as to why it is reporting that it "block"ed packets instead 
of dropping them. (As I understand "block" I may want to do that instead 
of "drop"). Otherwise I'm a happy camper.

Thanks again, fellows.

Jim

On 7/24/2017 12:19 PM, Noah Dietrich wrote:
> You need to replace "alert" with "drop" as the first item (the action) 
> in your rule.
> example:
> *drop* icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; 
> sid:10000001; rev:001; classtype:icmp-event;)
>
> Links:
> Snort Rule Headers from the manual: 
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00421000000000000000
> http://blog.snort.org/2015/07/snort-rule-changes.html
>
> One thing you can do is convert your rules from "alert" to "drop" 
> rules, but then have snort alert on them instead of drop (for testing 
> purposes) using the *--treat-drop-as-alert* flag when running snort.  
> When snort drops a packet properly in inline mode, it will also write 
> an event (if barnyard2 i setup) with the action being drop.
>
>
> On Mon, Jul 24, 2017 at 5:37 PM, Jim Campbell <jim () w4bqp net 
> <mailto:jim () w4bqp net>> wrote:
>
>     I am embarrassed  to come to come to the list with such a simple
>     question but I really do need an answer.
>
>     I am running Snort in IPS/Inline mode. My systemD command line is
>     as follows:
>
>     ExecStart=/opt/snort/bin/snort --daq afpacket -Q -c
>     /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/snort3.ru
>     <http://snort3.ru>les -i enp1s0:enp4s0 -A unified2 -l
>     /opt/snort/etc/snort
>
>     Each of the rules in snort3.rules begin with "alert".
>
>     The Snort 3 User Manual implies that if Snort is in inline mode,
>     when a packet triggers an alert that packet is dropped. I need to
>     be sure. Is there somewhere that I can query that will tell me if
>     packets are being dropped and if so how many?
>
>     Thanks,
>
>     Jim Campbell
>
>     -- 
>     "We are not human beings having a spiritual experience;
>     we are spiritual beings having a human experience."
>     ---Pierre Teilhard de Chardi
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!