[Snort-users] rules for Snort Inline

Risto Vaarandi risto.vaarandi at ...13914...
Mon Sep 4 12:00:09 EDT 2006


Joel Esler wrote:
> Any rule can be converted to an inline rule by changing the keyword.   
> In my opinion I wouldn't like someone else making a decision about  what 
> to drop (control) on _my_ network.

hi Joel,
good point - I was just looking for a better starting point for tuning 
the rules (I can change 'drop' back to 'alert' exactly like 'alert' to 
'drop', if needed).
br,
risto

> 
> Joel
> 
> 
> On Sep 4, 2006, at 8:07 AM, Risto Vaarandi wrote:
> 
>>> hi all,
>>> I have had Snort running in IDS mode for some time, and would now like
>>> deploy it in Inline mode for actually dropping malicious traffic.
>>> However, the Snort rules available at http://www.snort.org/rules/ have
>>> been configured to produce alerts only, and the user has to test each
>>> rule whether the 'drop', 'reject' or other such action would be  suitable
>>> for his/her environment.
>>> Since testing rules one by one involves a lot of time, I started to  look
>>> for rule collections designed specifically for Snort Inline, and  located
>>> the rulesets at BleedingSnort (http://www.bleedingsnort.com/ rules/). My
>>> question is - are there any similar projects around for creating rules
>>> for Snort Inline?
>>> I understand that for some rules it is difficult to verify that they
>>> don't block anything legitimate, yet there could be rules which almost
>>> never produce false positives. If someone has created a collection of
>>> such rules, I'd be thankful for the pointers.
>>> br,
>>> risto
>>>
>>> ---------------------------------------------------------------------- 
>>> ---
>>> Using Tomcat but need to do more? Need to support web services,  
>>> security?
>>> Get stuff done quickly with pre-integrated technology to make your  
>>> job easier
>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
>>> Geronimo
>>> http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
> 
> +---------------------------------------------------------------------+
> joel esler          senior security consultant         1-706-627-2101
> Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
>        Snort - Open Source Network IPS/IDS -- http://www.snort.org
>          gpg key: http://demo.sourcefire.com/jesler.pgp.key
>            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
> +---------------------------------------------------------------------+
> 
> 




More information about the Snort-users mailing list