Snort mailing list archives
Re: rules in snort inline
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 15 Jun 2010 17:09:21 -0500
--On Tuesday, June 15, 2010 16:01:31 -0400 Joel Esler <jesler () sourcefire com> wrote:
On Jun 15, 2010, at 3:52 PM, Nigel Houghton wrote:On Tue, Jun 15, 2010 at 3:33 PM, black_angel black_angel <black.sad.angel () gmail com> wrote:hey everybody, i try to change all the rules for my snort inline from mode "alert" to "drop" i used this script but it doesn't work correctly: cd /etc/snort_inline/rules/ for file in $(ls -1 *.rules) do sed -e 's:^alert:drop:g' ${file} > ${file}.new mv ${file}.new ${file} -f done if someone have another script or any ideaDon't do that, any of you. There are flowbit rules (the ones that set a flowbit) that should never be set to drop. Use Pulled Pork or Oinkmaster to manage your rules and make changes. That is all.Yes, and doing the above will also assure to make sure your network ceases to function.
Some have recommended to us, on more than one occasion, that causing the network to cease to function would help secure the university against attack. Perhaps the OP had that in mind??? :-) -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules in snort inline black_angel black_angel (Jun 15)
- Re: rules in snort inline JJC (Jun 15)
- Re: rules in snort inline Nigel Houghton (Jun 15)
- Re: rules in snort inline Joel Esler (Jun 15)
- Re: rules in snort inline Paul Schmehl (Jun 15)
- Re: rules in snort inline Joel Esler (Jun 15)
- Re: rules in snort inline Burks, Doug (Jun 15)
- Re: rules in snort inline Crook, Parker (Jun 15)
- Re: rules in snort inline Burks, Doug (Jun 15)
- Re: rules in snort inline Crook, Parker (Jun 15)
- Re: rules in snort inline Tomas Heredia (Jun 15)