'Re: [Snort-sigs] Snort Block rules download for IPS mode'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Snort Block rules download for IPS mode
From:       waldo kitty <wkitty42 () windstream ! net>
Date:       2013-01-28 8:26:19
Message-ID: 5106362B.9040204 () windstream ! net
[Download RAW message or body]

On 1/28/2013 02:21, immanuel wrote:
> Hi Joel,
>
> Thank you very much for the response.
>
> Our Snort server is working fine in the inline mode which we have tested by
> manually creating block/deny rules in local.rules file. But by default, the
> rules which we have downloaded is specific to IDS mode as the rule action is ALERT.

yes... all generated and distributed rules are ALERT rules... this is the safest 
for distribution and it is up to each receiver to adjust them as needed for 
their network's needs...

> There are several hundred such rules and we wish to know how to convert these
> rules for inline mode. Do we need to manually change each rule action to drop?

yes and no... yes, you need to change them... manually? no, this is where 
pulledpork or oinkmaster will come in handy... both are rule retrieval scripts 
and both handle the updating of your existing rules with the new ones... 
pulledpork does more than oinkmaster but both have a mechanism where you tell 
them what to do with certain rules... like enabling some that are disabled by 
default or disabling enabled ones because you don't need them in your network... 
they can also edit rules to make changes to them... in your case, you'd want to 
tell them what rules you want to alter from alert to drop...

> What happens to these modified rules when I update the same from Snort website
> for the latest version?

if you were to do it all manually, you'd have to update and reedit each time you 
pulled new rules... with oinkmaster or pulledpork, you let them do all the work 
of downloading, merging and editing...


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic