Snort mailing list archives
Re: Snort running inline but not functioning as IPS
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 21 Jan 2016 16:26:55 -0700
On 2016-01-21 16:19, Robin Kipp wrote:
Hi James,Am 21.01.2016 um 22:59 schrieb James Lay <jlay () slave-tothe-box net>:Do you have any rules that say "drop" instead of "alert"?Well, I'm honestly not sure! I haven't really done anything with the rules yet, as I wanted to get basic functionality working and then start to get more into the details... I'm using pulledpork to update my rules, using the registered ruleset provided by Talos and the free one provided by EmergingThreatsPro. All my rules are stored in one file, snort.rules. After briefly looking at that file, I just took a shot in the dark by running: grep "drop tcp" /var/snort/rules/snort.rules which gave me no output whatsoever. On the other hand, the command grep „alert tcp" /var/snort/rules/snort.rules returned loads of results, I eventually aborted the command. So, I guess that means I currently don't have any drop rules active, at least as far as I can tell. So, what would be the best way for me to change that? Is there any way to automatically enforce some rules based on severity or any other criteria, or what's the preferred way? I suppose if I manually changed some rules in the snort.rules file, then pulledpork would probably overwrite those changes with the next upgrade. Would that be true? Thanks a lot for any further help! Best regards, Robin
Ah...well there you have it then. Change a rule or two from alert to drop and then restart and test. James
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
- Re: Snort running inline but not functioning as IPS mlists (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)