Snort mailing list archives
Re: rules in snort inline
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Tue, 15 Jun 2010 16:22:01 -0400
I'm going to point you to use Nigel & Joel & JJ's advice on this one... Furthermore if you want to change some rule from alert to drop, you should disable the rule (I also recommend Pulled Pork for downloading, enabling, disabling, etc) and move the rule to your local.rules file with your changes - make sure you give the rule a new sid number and update your sid-msg.map file. That way, when you download the rule updates you don't overwrite your changes. -Parker _____ From: Burks, Doug [mailto:doug.burks () morris com] Sent: Tuesday, June 15, 2010 3:46 PM To: black_angel black_angel; snort-users () lists sourceforge net Subject: Re: [Snort-users] rules in snort inline How about something like this? sed -i 's|^alert |drop |g' /etc/snort_inline/rules/*.rules Regards, -- Doug Burks, GPEN, GCIA, GSEC, CISSP http://securityonion.blogspot.com _____ From: black_angel black_angel [mailto:black.sad.angel () gmail com] Sent: Tuesday, June 15, 2010 3:34 PM To: snort-users () lists sourceforge net Subject: [Snort-users] rules in snort inline hey everybody, i try to change all the rules for my snort inline from mode "alert" to "drop" i used this script but it doesn't work correctly: cd /etc/snort_inline/rules/ for file in $(ls -1 *.rules) do sed -e 's:^alert:drop:g' ${file} > ${file}.new mv ${file}.new ${file} -f done if someone have another script or any idea
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules in snort inline black_angel black_angel (Jun 15)
- Re: rules in snort inline JJC (Jun 15)
- Re: rules in snort inline Nigel Houghton (Jun 15)
- Re: rules in snort inline Joel Esler (Jun 15)
- Re: rules in snort inline Paul Schmehl (Jun 15)
- Re: rules in snort inline Joel Esler (Jun 15)
- Re: rules in snort inline Burks, Doug (Jun 15)
- Re: rules in snort inline Crook, Parker (Jun 15)
- Re: rules in snort inline Burks, Doug (Jun 15)
- Re: rules in snort inline Crook, Parker (Jun 15)
- Re: rules in snort inline Tomas Heredia (Jun 15)