Snort mailing list archives
Re: Sourcefire VRT Rules and Snort Active Response
From: "Jason D. McCormick" <jasonmc () sei cmu edu>
Date: Mon, 20 Jun 2011 16:29:27 -0400
I am correct in my understanding that when executed this way the Sourcefire VRT rulesets will not actively response since Snort isn't operating in inline mode, yes?
Snort can still send active responses in IDS mode, so make sure that this line or similar is commented out of your snort.conf:
# config response: eth0 attempts 2.
Yes it is, and that's how it comes from Sourcefire in the VRT ruleset too. I just wanted to make sure there wasn't some other "default" value that made this still work with that line commented out (as opposed to set to 0 or something). Sounds like I'm good then? - Jason ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 21)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)