[Snort-users] rules for Snort Inline

Risto Vaarandi risto.vaarandi at ...13914...
Mon Sep 4 08:07:31 EDT 2006


hi all,
I have had Snort running in IDS mode for some time, and would now like 
deploy it in Inline mode for actually dropping malicious traffic. 
However, the Snort rules available at http://www.snort.org/rules/ have 
been configured to produce alerts only, and the user has to test each 
rule whether the 'drop', 'reject' or other such action would be suitable 
for his/her environment.
Since testing rules one by one involves a lot of time, I started to look 
for rule collections designed specifically for Snort Inline, and located 
the rulesets at BleedingSnort (http://www.bleedingsnort.com/rules/). My 
question is - are there any similar projects around for creating rules 
for Snort Inline?
I understand that for some rules it is difficult to verify that they 
don't block anything legitimate, yet there could be rules which almost 
never produce false positives. If someone has created a collection of 
such rules, I'd be thankful for the pointers.
br,
risto




More information about the Snort-users mailing list