[Snort-users] inline mode rules
yinzhaohui at ...11827...
Fri Oct 21 19:55:29 EDT 2005
since snort rule may trigger many flase positive alert, while change
to drop/sdrop inline mode, maybe it will cut the needed traffic.
I think it need a small set rule especially choosed to suit for inline
mode, does anyone do this work already?
On 10/22/05, Eric Maheo <eric.maheo at ...8860...> wrote:
> yes you can change to drop your rules but you have other options like
> sdrop/reject/replace.. see snort_manual.pdf in the /doc of your snort
> However be careful when you change your action to drop because it will
> drop every packets it interprets as illegitimate traffic..
> So I will first set your IPS as IDS for a while and little by little
> switch your rules to drop/reject/sdrop/replace packets.
> Eric Maheo
> Vice President of Engineering,
> Applied Watch Technologies, LLC
> 1095 Pingree Rd.
> Suite 212
> Crystal Lake, IL 60014
> Tel: (877) 262-7593 x324
> Fax: (877) 262-7593
> Email: eric.maheo at ...8860...
> Web: http://www.appliedwatch.com
> On Sat, 2005-10-22 at 09:36 +0800, zhaohui yin wrote:
> > I want use snort inline mode, does there any special rules suit for
> > inline mode, or I change all the rule's head with "alert" replaced by
> > "drop". does it work fine?
> > --
> > yinzhaohui
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Power Architecture Resource Center: Free content, downloads, discussions,
> > and more. http://solutions.newsforge.com/ibmarch.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list
More information about the Snort-users