[Snort-users] Compiling snort for CheckPoint Firewall-1 support
frank at ...9761...
Fri May 12 21:34:59 EDT 2006
On Fri, 2006-05-12 at 11:00 +0200, carlopmart wrote:
> Yes, correct but I need to modify snort rules by hand if i would to
> block some connections with snortsam (and if I launch process to update
> snort rules, they are overwritted and I lose my changes). I need to
> block connections immediately using snort rules and custom rules.
You can create a sid-block.map file instead of modifying rules. See
Instead of modifying the Snort rules, you can also create a file named
sid-block.map which has to be in the same directory as Snort's
file (typically etc). In this file you can list the fwsam option using
1023: src, 15 min
Alternatively, you may use a | (pipe) instead of a : (colon).
This has the same effect as adding "fwsam: src, 15min;" to the Snort
with SID 1023.
You can specify options in both places (rules and sid-block.map
the sid file takes priority. The file has to be in the same directory
other Snort config files (ie. sid-msg.map).
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users