Re: Snort-inline vs. SnortSam

[Frank Knobbe <frank () knobbe us>]

On Thu, 2005-03-10 at 09:03 -0500, Adam Kennedy wrote:
> What I'm trying to do is figure out what method is easiest/best for
> automatically blocking traffic snort picks up. I've used snortsam
> before, but re-writing all the rules gets annoying.

Well, you don't want to rewrite "all the rules". I don't recommend you
block blindly on all rules, unless you really want to shoot yourself in
the foot. I highly recommend blocking only on carefully selected rules.

Instead of modifying the rules, you can add the sid and block options
into the sid-block.map file. (See README.rules)

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part