[Snort-users] new user - snort is not droping pacekts

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Feb 15 01:07:12 EST 2005


--On 15 February 2005 08:52 +0100 lokesh.khanna at ...13040... wrote:

> I have just installed Snort 2.3.0RC2 on Enterprise Redhat with ACID.
>
> I am using webmin to manage rules. I have used Manhunt and Real Secure
> before. I am using snort 1st time.
>
> I can see lots of Alert in ACID Console. But I do not understand how
> Snort will drop the packet if it is matching any rule.
>
> In Real Secure I used to define action for each rule. How can I do same
> here?

Either use snort in inline (IPS) mode, and replace 'alert' with 'drop', or 
look into using something like SnortSam or Flexresp to run scripts which 
add ACLs to your routers, or rules to your firewalls.

If you don't use snort in inline mode, it's a NIDS and will not interfere 
directly with the sessions that it sees.

> Is there any other tool to manage rules?

Snortcenter2, oinkmaster.

I prefer the latter, these days. Writing an oinkmaster rule to 
programmatically modify dozens of rules is quicker and easier than clicking 
a few hundred times with a greater chance of human error.

> LK

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list