Snort mailing list archives
Re: Snort 3 Config File Question (3)
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Mon, 24 Jul 2017 18:19:04 +0200
You need to replace "alert" with "drop" as the first item (the action) in your rule. example: *drop* icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;) Links: Snort Rule Headers from the manual: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00421000000000000000 http://blog.snort.org/2015/07/snort-rule-changes.html One thing you can do is convert your rules from "alert" to "drop" rules, but then have snort alert on them instead of drop (for testing purposes) using the *--treat-drop-as-alert* flag when running snort. When snort drops a packet properly in inline mode, it will also write an event (if barnyard2 i setup) with the action being drop. On Mon, Jul 24, 2017 at 5:37 PM, Jim Campbell <jim () w4bqp net> wrote:
I am embarrassed to come to come to the list with such a simple question but I really do need an answer. I am running Snort in IPS/Inline mode. My systemD command line is as follows: ExecStart=/opt/snort/bin/snort --daq afpacket -Q -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/snort3.rules -i enp1s0:enp4s0 -A unified2 -l /opt/snort/etc/snort Each of the rules in snort3.rules begin with "alert". The Snort 3 User Manual implies that if Snort is in inline mode, when a packet triggers an alert that packet is dropped. I need to be sure. Is there somewhere that I can query that will tell me if packets are being dropped and if so how many? Thanks, Jim Campbell -- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Victor Roemer via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Noah Dietrich (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- <Possible follow-ups>
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 25)
- Re: Snort 3 Config File Question (3) wkitty42 (Jul 25)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)