Re: Snort running inline but not functioning as IPS

["Joel Esler (jesler)" <jesler () cisco com>]

> On Jan 22, 2016, at 7:53 AM, mlists () robin-kipp net wrote:
>
> Hi Joel,
>
> Am 2016-01-22 13:08, schrieb Joel Esler (jesler):
> > Pulledpork actually has a feature that will enable rules to drop by
> > default based upon their policy (connectivity, balanced, security, and
> > max-detect)
>
> Well, this would be absolutely perfect!
> However, according to pulledpork.conf:
>
> # Note that setting this value will disable all ET rulesets if you are
> # Running such rulesets
>
> Unfortunately, this would apply to me as I'm using those rulesets, so I guess using a policy won't work for me. So, I 
> guess the best alternative would be using categories instead?
> Best regards,
> Robin

There are certain categories that might be completely drop worthy, like exploit-kit and malware-cnc.  But otherwise, 
I’d go with the policy method.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!