Logging: alert vs drop with PulledPork using VRT & ET rules

[NA <dustypath () comcast net>]

Hi all,

I use both VRT and ET-no gpl rule sets and update via PulledPork. Snort
2.9.10 is running in afpacket mode and inline.
Per the conf file for PulledPork and what I assume is the incompatible
option (with ET) to set a policy of balanced or security, I use no policy.
I see in a few rules that with a policy set the rule will both alert and
drop.
When I use dropsid.conf to change a rule from alert to drop, I get no
more alerts, and therefore do not see the traffic.
Am I correct in thinking there is no way to get alerts on dropped sids
with this configuration? (Other than using iptables via NFQ daq to log
them elsewhere).
Should I just stop using the ET rules and set a policy?
thanks,
Bill B

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!