Snort mailing list archives
Re: Snort Block rules download for IPS mode
From: immanuel <immanuel2908 () gmail com>
Date: Mon, 28 Jan 2013 12:51:48 +0530
Hi Joel, Thank you very much for the response. Our Snort server is working fine in the inline mode which we have tested by manually creating block/deny rules in local.rules file. But by default, the rules which we have downloaded is specific to IDS mode as the rule action is ALERT. There are several hundred such rules and we wish to know how to convert these rules for inline mode. Do we need to manually change each rule action to drop? What happens to these modified rules when I update the same from Snort website for the latest version? Regards, Immanuel On Thu, Jan 24, 2013 at 8:52 PM, Joel Esler <jesler () sourcefire com> wrote:
On Jan 24, 2013, at 2:43 AM, immanuel <immanuel2908 () gmail com> wrote: Hi All, I am a beginner in Snort and i have configured snort and the test was success. I have downloaded the default Snort rules available on the website and i am able to see alert logs. But I could not find any alerts for block or drop as all the default rules that are downloaded has only rules defined to alert. Can you please guide to the place where i can download official rules to block /drop unwanted traffic or guide me with the syntax to create block/drop rules? Following are my deployment scenario: OS: CentOS 6.3 Snort version: 2.9.4 To make a rule drop, you must first be running in inline mode (-Q in Snort, with the right DAQ module), but you simply change "alert" to "drop" in the rule itself. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Block rules download for IPS mode immanuel (Jan 23)
- Re: Snort Block rules download for IPS mode Joel Esler (Jan 24)
- Re: Snort Block rules download for IPS mode immanuel (Jan 27)
- Re: Snort Block rules download for IPS mode waldo kitty (Jan 28)
- Re: Snort Block rules download for IPS mode immanuel (Jan 27)
- Re: Snort Block rules download for IPS mode Joel Esler (Jan 24)