Snort mailing list archives
Re: Snort 3 Config File Question (3)
From: Russ via Snort-users <snort-users () lists snort org>
Date: Mon, 24 Jul 2017 12:04:06 -0400
Are you referring to Section 2.6 which says: "action - tells Snort what to do when a rule "fires", ie when the signature matches. In this case Snort will log the event. It can also do thing like block the flow when running inline."That is saying what the rule actions can do, not that alert = block. We can try to clarify there. Briefly:
alert - generate an event, no impact to traffic drop - generate an event and discard this packet onlyblock - generate and event and discard this packet and all subsequent packets on the flow
Note that drop and block only impact traffic when inline. Otherwise such rules are not loaded or can be loaded to alert only with --treat-drop-as-alert.
As for what Snort is actually doing, you can check the shutdown stats, the perf_monitor logs, and query stats from the shell. Check the manual for details on those. For example, at shutdown you might see:
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
pcaps: 1
received: 27
analyzed: 27
allow: 23
blacklist: 4
That means 23 packets were allowed to pass and 4 were discarded (these
are DAQ verdict counts).
Hope that helps. Russ On 7/24/17 11:37 AM, Jim Campbell wrote:
I am embarrassed to come to come to the list with such a simple question but I really do need an answer.I am running Snort in IPS/Inline mode. My systemD command line is as follows:ExecStart=/opt/snort/bin/snort --daq afpacket -Q -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/snort3.rules -i enp1s0:enp4s0 -A unified2 -l /opt/snort/etc/snortEach of the rules in snort3.rules begin with "alert".The Snort 3 User Manual implies that if Snort is in inline mode, when a packet triggers an alert that packet is dropped. I need to be sure. Is there somewhere that I can query that will tell me if packets are being dropped and if so how many?Thanks, Jim Campbell
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Victor Roemer via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Noah Dietrich (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- <Possible follow-ups>
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 25)
- Re: Snort 3 Config File Question (3) wkitty42 (Jul 25)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)