[Snort-users] rules in snort inline

Nigel Houghton nhoughton at ...1935...
Tue Jun 15 15:52:43 EDT 2010


On Tue, Jun 15, 2010 at 3:33 PM, black_angel black_angel
<black.sad.angel at ...11827...> wrote:
> hey everybody,
> i try to change all the rules for my snort inline from mode "alert" to
> "drop" i used this script but it doesn't work correctly:
>
> cd /etc/snort_inline/rules/
>
> for file in $(ls -1 *.rules)
>
> do
>
>                sed -e 's:^alert:drop:g' ${file} > ${file}.new
>
>                mv ${file}.new ${file} -f
>
> done
> if someone have another script or any idea
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Don't do that, any of you. There are flowbit rules (the ones that set
a flowbit) that should never be set to drop.

Use Pulled Pork or Oinkmaster to manage your rules and make changes.
That is all.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




More information about the Snort-users mailing list