[Snort-users] Compiling snort for CheckPoint Firewall-1 support

carlopmart carlopmart at ...11827...
Fri May 12 08:15:35 EDT 2006


Thanks Frank, I don't see this feature.

Many thanks to all.


Frank Knobbe wrote:
> On Fri, 2006-05-12 at 11:00 +0200, carlopmart wrote:
>>   Yes, correct but I need to modify snort rules by hand if i would to 
>> block some connections with snortsam (and if I launch process to update 
>> snort rules, they are overwritted and I lose my changes). I need to 
>> block connections immediately using snort rules and custom rules.
> 
> You can create a sid-block.map file instead of modifying rules. See
> README.rules:
> 
> ---8<---
> Instead of modifying the Snort rules, you can also create a file named
> sid-block.map which has to be in the same directory as Snort's
> sid-msg.map
> file (typically etc). In this file you can list the fwsam option using
> following syntax:
> 
>   <sid>:<option>
> 
> For example:
> 
>    1023: src, 15 min
> 
>    Alternatively, you may use a | (pipe) instead of a : (colon).
>    This has the same effect as adding "fwsam: src, 15min;" to the Snort
> rule
>    with SID 1023.
> 
>    You can specify options in both places (rules and sid-block.map
> file), but
>    the sid file takes priority. The file has to be in the same directory
> as the
>    other Snort config files (ie. sid-msg.map).
> --->8---
> 
> Regards,
> Frank
> 

-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list