Drop rule question



  • I just would like to ask if this is how dropsid syntax is to be done.

    emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-compromised,emerging-dos,emerging-dshield,emerging-exploit,emerging-malware,emerging-misc,emerging-mobile_malware,emerging-p2p,emerging-tor,emerging-trojan,emerging-worm,snort_backdoor,snort_botnet-cnc,snort_ddos,snort_dos,snort_malware-backdoor,snort_malware-cnc,snort_malware-other,snort_malware-tools,snort_misc,snort_p2p,snort_pua-p2p,snort_specific-threats,snort_spyware-put,snort_virus,GPLv2_community

    I placed the above rule on dropsid-sample.conf and selected it on Drop SID File.  Suricata detected and have an alert on ET TROJAN  downadup/Conficker A or B Worm reporting, however, it is not dropping it since the highlight is not in red color.


Log in to reply