Re: Switching snort from IDS to IPS mode

[James Lay <jlay () slave-tothe-box net>]

Check here under Deployment Guides: 

https://www.snort.org/documents 

In a nutshell you send all your traffic to snort, and then snort decides
what to do with it..usually using NFQUEUE or a box with three interfaces
with a pair of interfaces being your traffic in/out and the third for
management.  Snort will create it's own bridge in the latter case so no
need for bridge utils. 

James 

On 2018-02-03 06:47, Jim Campbell wrote:

> I run the following snippet from a shell script to change the rules from alert to block. I am running snort 2.9.9.0 
> inline (IPS) under Ubuntu 17.04. 
>
> echo "Change 'alert' to 'block' for snort.rules ========================"
> sudo awk '{sub("alert","block",$0); print;}' /etc/snort/rules/snort.rules > /etc/snort/rules/snortd.rules 
> On 2/3/2018 6:42 AM, bobby via Snort-users wrote: 
>
> > I am running Snort inline.  I am running Linux. What would be the easiest way to replace all rules with drop from 
> > alert?  Would I have to run a script to modify each rule, or is there an easier way?
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette