Re: Snort3: builtin rules: how change action?

[Victor Roemer via Snort-users <snort-users () lists snort org>]

So `snort --dump-builtin-rules > builtin.rules` will give you a list of 
rules, you can change the action from `alert` to `block`. You really 
have to decide on which you wish to block yourself.

From there you'll have to include `builtin.rules` in your snort.lua.

On 12/10/18 5:52 AM, Meridoff via Snort-users wrote:
> When loading builtin rules In make_rule() I can see hardcoded "alert" 
> action and other header fields (tcp any/any) hardcoded too..
> Is it supposed to be changed in future? So that header fields of 
> builiin rules can be changed?
>
> Version - master.
>
> пн, 10 дек. 2018 г. в 13:41, Meridoff <oagvozd () gmail com 
> <mailto:oagvozd () gmail com>>:
>
>     Hello, with --dump-builtin-rules I can see builtin rules, which
>     all have 'alert' action.
>
>     How I can change action of such rules (for example to 'drop' in
>     inline mode) ?
>
>     Thanks for attention
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette