Snort mailing list archives

Re: rules in snort inline

From: "Burks, Doug" <doug.burks () morris com>
Date: Tue, 15 Jun 2010 16:43:39 -0400

Mea culpa.  I saw a sed problem and my fingers automagically banged out
a sed solution without thinking.  (I've always used
Oinkmaster/PulledPork so I've never had the "pleasure" of finding out
what this would actually do).  Sorry for the noise.  
 
Can I get a mulligan?  
 
"I highly recommend PulledPork."
 
:)
 
Regards,

--

Doug Burks, GPEN, GCIA, GSEC, CISSP
http://securityonion.blogspot.com <http://securityonion.blogspot.com/> 


________________________________

From: Crook, Parker [mailto:Parker_Crook () reyrey com] 
Sent: Tuesday, June 15, 2010 4:22 PM
To: Burks, Doug; black_angel black_angel;
snort-users () lists sourceforge net
Subject: RE: [Snort-users] rules in snort inline



I'm going to point you to use Nigel & Joel & JJ's advice on this one...

 

Furthermore if you want to change some rule from alert to drop, you
should disable the rule (I also recommend Pulled Pork for downloading,
enabling, disabling, etc) and move the rule to your local.rules file
with your changes - make sure you give the rule a new sid number and
update your sid-msg.map file.  That way, when you download the rule
updates you don't overwrite your changes.

 

-Parker

 

________________________________

From: Burks, Doug [mailto:doug.burks () morris com] 
Sent: Tuesday, June 15, 2010 3:46 PM
To: black_angel black_angel; snort-users () lists sourceforge net
Subject: Re: [Snort-users] rules in snort inline

 

How about something like this?

 

sed -i 's|^alert |drop |g'  /etc/snort_inline/rules/*.rules

 

Regards,

--

Doug Burks, GPEN, GCIA, GSEC, CISSP
http://securityonion.blogspot.com

 

 

________________________________

From: black_angel black_angel [mailto:black.sad.angel () gmail com] 
Sent: Tuesday, June 15, 2010 3:34 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] rules in snort inline

hey everybody,
i try to change all the rules for my snort inline from mode "alert" to
"drop" i used this script but it doesn't work correctly:



cd /etc/snort_inline/rules/
for file in $(ls -1 *.rules)
do
               sed -e 's:^alert:drop:g' ${file} > ${file}.new
               mv ${file}.new ${file} -f

done
if someone have another script or any idea

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rules in snort inline black_angel black_angel (Jun 15)
- Re: rules in snort inline JJC (Jun 15)
- Re: rules in snort inline Nigel Houghton (Jun 15)
  - Re: rules in snort inline Joel Esler (Jun 15)
    - Re: rules in snort inline Paul Schmehl (Jun 15)
- Re: rules in snort inline Burks, Doug (Jun 15)
  - Re: rules in snort inline Crook, Parker (Jun 15)
    - Re: rules in snort inline Burks, Doug (Jun 15)
- Re: rules in snort inline Tomas Heredia (Jun 15)