[Snort-users] Compiling snort for CheckPoint Firewall-1 support

Frank Knobbe frank at ...9761...
Fri May 12 21:34:59 EDT 2006

On Fri, 2006-05-12 at 11:00 +0200, carlopmart wrote:
>   Yes, correct but I need to modify snort rules by hand if i would to 
> block some connections with snortsam (and if I launch process to update 
> snort rules, they are overwritted and I lose my changes). I need to 
> block connections immediately using snort rules and custom rules.

You can create a sid-block.map file instead of modifying rules. See

Instead of modifying the Snort rules, you can also create a file named
sid-block.map which has to be in the same directory as Snort's
file (typically etc). In this file you can list the fwsam option using
following syntax:


For example:

   1023: src, 15 min

   Alternatively, you may use a | (pipe) instead of a : (colon).
   This has the same effect as adding "fwsam: src, 15min;" to the Snort
   with SID 1023.

   You can specify options in both places (rules and sid-block.map
file), but
   the sid file takes priority. The file has to be in the same directory
as the
   other Snort config files (ie. sid-msg.map).


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060512/35b0f68f/attachment.sig>

More information about the Snort-users mailing list