Unless I’m just not seeing it, there isn’t a way to differentiate alerts from drops with BASE for snort. They all appear the same, and unless you know the the sid or the .rules file, all the information looks the same. To help alleviate this, and give users the abillity to see rules that are dropping packets at a glance, I decided to task Oinkmaster.pl with this job. Adding the phrase “DROPPED” to the end of the “msg:” section of the signature will make it appear that way in BASE and Aanval can now send an email whenever one of these rules are kicked off.
To do so simply add the following to your oinkmaster.conf file:
modifysid sid or rule “(.*msg:\s*”.+?)”(\s*;.+;)” | “${1}, DROPPED”${2}”
