Re: rules for Snort Inline

[Joel Esler <joel.esler () sourcefire com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Any rule can be converted to an inline rule by changing the keyword.   
In my opinion I wouldn't like someone else making a decision about  
what to drop (control) on _my_ network.

Joel


On Sep 4, 2006, at 8:07 AM, Risto Vaarandi wrote:

> hi all,
> I have had Snort running in IDS mode for some time, and would now like
> deploy it in Inline mode for actually dropping malicious traffic.
> However, the Snort rules available at http://www.snort.org/rules/ have
> been configured to produce alerts only, and the user has to test each
> rule whether the 'drop', 'reject' or other such action would be  
> suitable
> for his/her environment.
> Since testing rules one by one involves a lot of time, I started to  
> look
> for rule collections designed specifically for Snort Inline, and  
> located
> the rulesets at BleedingSnort (http://www.bleedingsnort.com/ 
> rules/). My
> question is - are there any similar projects around for creating rules
> for Snort Inline?
> I understand that for some rules it is difficult to verify that they
> don't block anything legitimate, yet there could be rules which almost
> never produce false positives. If someone has created a collection of
> such rules, I'd be thankful for the pointers.
> br,
> risto
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
        Snort - Open Source Network IPS/IDS -- http://www.snort.org
          gpg key: http://demo.sourcefire.com/jesler.pgp.key
            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFE/CnbKbCSyXHckt4RAi97AJwInpEgBROTAAOlZrIY3cLWws5K1wCfZTnL
vV8VrV7xudx5CJKLEo9vJoE=
=XF5s
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users