Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: inline mode rules

From: zhaohui yin <yinzhaohui () gmail com>
Date: Sat, 22 Oct 2005 10:54:34 +0800
since snort rule may trigger many flase positive alert, while change
to drop/sdrop inline mode, maybe it will cut the needed traffic.
I think it need a small set rule especially choosed to suit for inline
mode, does anyone do this work already?

On 10/22/05, Eric Maheo <eric.maheo () appliedwatch com> wrote:

Hi,

yes you can change to drop your rules but you have other options like
sdrop/reject/replace..  see snort_manual.pdf in the /doc of your snort
tarball.

However be careful when you change your action to drop because it will
drop every packets it interprets as illegitimate traffic..

So I will first set your IPS as IDS for a while and little by little
switch your rules to drop/reject/sdrop/replace packets.

Thanks,
--

Eric Maheo
Vice President of Engineering,

Applied Watch Technologies, LLC
1095 Pingree Rd.
Suite 212
Crystal Lake, IL 60014

Tel: (877) 262-7593 x324
Fax: (877) 262-7593

Email: eric.maheo () appliedwatch com
Web: http://www.appliedwatch.com


On Sat, 2005-10-22 at 09:36 +0800, zhaohui yin wrote:

I want use snort inline mode, does there any special rules suit for
inline mode, or I change all the rule's head with "alert" replaced by
"drop". does it work fine?
--
yinzhaohui


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list







--
yinzhaohui


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: