Snort mailing list archives
Re: rules for Snort Inline
From: Risto Vaarandi <risto.vaarandi () seb ee>
Date: Mon, 04 Sep 2006 19:00:09 +0300
Joel Esler wrote:
Any rule can be converted to an inline rule by changing the keyword. In my opinion I wouldn't like someone else making a decision about what to drop (control) on _my_ network.
hi Joel, good point - I was just looking for a better starting point for tuning the rules (I can change 'drop' back to 'alert' exactly like 'alert' to 'drop', if needed). br, risto
Joel On Sep 4, 2006, at 8:07 AM, Risto Vaarandi wrote:hi all, I have had Snort running in IDS mode for some time, and would now like deploy it in Inline mode for actually dropping malicious traffic. However, the Snort rules available at http://www.snort.org/rules/ have been configured to produce alerts only, and the user has to test each rule whether the 'drop', 'reject' or other such action would be suitable for his/her environment. Since testing rules one by one involves a lot of time, I started to look for rule collections designed specifically for Snort Inline, and located the rulesets at BleedingSnort (http://www.bleedingsnort.com/ rules/). My question is - are there any similar projects around for creating rules for Snort Inline? I understand that for some rules it is difficult to verify that they don't block anything legitimate, yet there could be rules which almost never produce false positives. If someone has created a collection of such rules, I'd be thankful for the pointers. br, risto ---------------------------------------------------------------------- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules for Snort Inline Risto Vaarandi (Sep 04)
- Re: rules for Snort Inline Joel Esler (Sep 04)
- Re: rules for Snort Inline Risto Vaarandi (Sep 04)
- Re: rules for Snort Inline Jeff Kell (Sep 04)
- Re: rules for Snort Inline Joel Esler (Sep 04)