Snort mailing list archives

Re: Snort running inline but not functioning as IPS

From: Robin Kipp <mlists () robin-kipp net>
Date: Fri, 22 Jan 2016 00:19:53 +0100

Hi James,

Am 21.01.2016 um 22:59 schrieb James Lay <jlay () slave-tothe-box net>:

Do you have any rules that say "drop" instead of "alert"?



Well, I’m honestly not sure! I haven’t really done anything with the rules yet, as I wanted to get basic functionality 
working and then start to get more into the details… I’m using pulledpork to update my rules, using the registered 
ruleset provided by Talos and the free one provided by EmergingThreatsPro.
All my rules are stored in one file, snort.rules. After briefly looking at that file, I just took a shot in the dark by 
running:
grep "drop tcp" /var/snort/rules/snort.rules
which gave me no output whatsoever. On the other hand, the command
grep „alert tcp" /var/snort/rules/snort.rules
returned loads of results, I eventually aborted the command.
So, I guess that means I currently don’t have any drop rules active, at least as far as I can tell. So, what would be 
the best way for me to change that? Is there any way to automatically enforce some rules based on severity or any other 
criteria, or what’s the preferred way?
I suppose if I manually changed some rules in the snort.rules file, then pulledpork would probably overwrite those 
changes with the next upgrade. Would that be true?
Thanks a lot for any further help!
Best regards,
Robin

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
  - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
    - Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
    - Re: Snort running inline but not functioning as IPS mlists (Jan 22)
    - Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 22)
    - Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
    - Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
    - Re: Snort running inline but not functioning as IPS Y M (Jan 24)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)

(Thread continues...)