Re: Compiling snort for CheckPoint Firewall-1 support

[Frank Knobbe <frank () knobbe us>]

On Fri, 2006-05-12 at 11:00 +0200, carlopmart wrote:
>   Yes, correct but I need to modify snort rules by hand if i would to 
> block some connections with snortsam (and if I launch process to update 
> snort rules, they are overwritted and I lose my changes). I need to 
> block connections immediately using snort rules and custom rules.

You can create a sid-block.map file instead of modifying rules. See
README.rules:

---8<---
Instead of modifying the Snort rules, you can also create a file named
sid-block.map which has to be in the same directory as Snort's
sid-msg.map
file (typically etc). In this file you can list the fwsam option using
following syntax:

  <sid>:<option>

For example:

   1023: src, 15 min

   Alternatively, you may use a | (pipe) instead of a : (colon).
   This has the same effect as adding "fwsam: src, 15min;" to the Snort
rule
   with SID 1023.

   You can specify options in both places (rules and sid-block.map
file), but
   the sid file takes priority. The file has to be in the same directory
as the
   other Snort config files (ie. sid-msg.map).
--->8---

Regards,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part