Snort mailing list archives
Re: Snort Block rules download for IPS mode
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 28 Jan 2013 03:26:19 -0500
On 1/28/2013 02:21, immanuel wrote:
Hi Joel, Thank you very much for the response. Our Snort server is working fine in the inline mode which we have tested by manually creating block/deny rules in local.rules file. But by default, the rules which we have downloaded is specific to IDS mode as the rule action is ALERT.
yes... all generated and distributed rules are ALERT rules... this is the safest for distribution and it is up to each receiver to adjust them as needed for their network's needs...
There are several hundred such rules and we wish to know how to convert these rules for inline mode. Do we need to manually change each rule action to drop?
yes and no... yes, you need to change them... manually? no, this is where pulledpork or oinkmaster will come in handy... both are rule retrieval scripts and both handle the updating of your existing rules with the new ones... pulledpork does more than oinkmaster but both have a mechanism where you tell them what to do with certain rules... like enabling some that are disabled by default or disabling enabled ones because you don't need them in your network... they can also edit rules to make changes to them... in your case, you'd want to tell them what rules you want to alter from alert to drop...
What happens to these modified rules when I update the same from Snort website for the latest version?
if you were to do it all manually, you'd have to update and reedit each time you pulled new rules... with oinkmaster or pulledpork, you let them do all the work of downloading, merging and editing... ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Block rules download for IPS mode immanuel (Jan 23)
- Re: Snort Block rules download for IPS mode Joel Esler (Jan 24)
- Re: Snort Block rules download for IPS mode immanuel (Jan 27)
- Re: Snort Block rules download for IPS mode waldo kitty (Jan 28)
- Re: Snort Block rules download for IPS mode immanuel (Jan 27)
- Re: Snort Block rules download for IPS mode Joel Esler (Jan 24)