Home page logo

snort logo Snort mailing list archives

Re: Snort sdrop
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 22 Apr 2013 09:31:50 -0400

On Apr 22, 2013, at 9:00 AM, Joao Daniel Neves <joaodanielnevesss () hotmail com> wrote:

The IP Z.X.C.V is triggering a lot of alarms on my IDS (more than 1 million). I have wrote a very simple Snort rule 
to drop packages from this source. For some reason it is not working. Did I did something wrong ?

sdrop udp Z.X.C.V any -> any any
sdrop tcp Z.X.C.V any -> any any
sdrop icmp Z.X.C.V any -> any any

Of course, I have restarted Snort

Are you sure that's what you want to do?  Are you sure you don't want a suppression?

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • Snort sdrop Joao Daniel Neves (Apr 22)
    • <Possible follow-ups>
    • Snort sdrop Joao Daniel Neves (Apr 22)
      • Re: Snort sdrop Joel Esler (Apr 22)
        • Message not available
        • Message not available
        • Re: Snort sdrop Joao Daniel Neves (Apr 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]