[Snort-users] inline rules

justin joseph justinjoseph007 at ...11827...
Wed Aug 19 06:15:45 EDT 2009


Hi

Can one buy inline rules (for IPS) from sourcefire?

Or is it sufficient to get IDS rules and then covert to inline
rules, like mentioned in http://linuxgazette.net/117/savage.html
with below script.

cd /etc/snort_inline/rules/
for file in $(ls -1 *.rules)
do
	sed -e 's:^alert:drop:g' ${file} > ${file}.new
	mv ${file}.new ${file} -f
done

Have also seen documentation for oinkcode configuration for converting
IDS rules to IPS ones.  What is the standard way to do this.  Is the difference
in the rules(IDS and IPS) merely a difference in substituting
words(alert -> drop/reject/sdrop?)

thank you
Justin




More information about the Snort-users mailing list