Snort mailing list archives
Re: Restart snort inline without traffic loss?
From: Y M <snort () outlook com>
Date: Fri, 8 Feb 2013 19:50:57 +0000
Look at rate filtering (rate_filter) in Snort's manual. I think you would need to look at the rules you have and evaluate what is considered risk to your environment and based on that determine your actions strategy.
From: a_w_smith () yahoo co uk To: snort-users () lists sourceforge net Date: Fri, 8 Feb 2013 19:32:11 +0000 Subject: Re: [Snort-users] Restart snort inline without traffic loss?On 2/8/2013 11:57, Jeremy Hoel wrote:Could you use modifiy.sid to do that?not knowing pulledpork, i'm going to guess that this is exactly what i've been trying to point the OP towards... in oinkmaster, i simply include another conf file that contains actual modifysid options along with enablesid and disablesid options ;)Thanks for all the replies, I will have a look at modify.sid The way I was planning to use snort/snorby was initially to identify the bad traffic and hacking etc Once I had detected something I definitely wanted to drop I would change the rule to a drop rule. After adding the drop rule I didn't want to be notified about the drops because it would be more difficult to see new bad (passed) traffic. If there is a better way to do things I am open to suggestions, I guess I am hoping (eventually) to just see a handful of notifications a day that need action. I am currently getting around 100-200 notifications per hour. If snorby identified the traffic as already dropped then I would keep the notifications, I don't think it gives an indication of which traffic is passed or dropped, but I could well have missed something else... Advice welcome Thanks, Andy ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Restart snort inline without traffic loss?, (continued)
- Re: Restart snort inline without traffic loss? Andy (Feb 07)
- Re: Restart snort inline without traffic loss? Joel Esler (Feb 07)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 07)
- Re: Restart snort inline without traffic loss? Andy (Feb 07)
- Re: Restart snort inline without traffic loss? Y M (Feb 08)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)
- Re: Restart snort inline without traffic loss? Joel Esler (Feb 08)
- Re: Restart snort inline without traffic loss? Jeremy Hoel (Feb 08)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 08)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)
- Re: Restart snort inline without traffic loss? Y M (Feb 08)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)