[Snort-users] rules in snort inline

Joel Esler jesler at ...1935...
Tue Jun 15 16:01:31 EDT 2010


On Jun 15, 2010, at 3:52 PM, Nigel Houghton wrote:
> On Tue, Jun 15, 2010 at 3:33 PM, black_angel black_angel
> <black.sad.angel at ...11827...> wrote:
>> hey everybody,
>> i try to change all the rules for my snort inline from mode "alert" to
>> "drop" i used this script but it doesn't work correctly:
>> 
>> cd /etc/snort_inline/rules/
>> 
>> for file in $(ls -1 *.rules)
>> 
>> do
>> 
>>                sed -e 's:^alert:drop:g' ${file} > ${file}.new
>> 
>>                mv ${file}.new ${file} -f
>> 
>> done
>> if someone have another script or any idea
>> 
>> 
> 
> 
> Don't do that, any of you. There are flowbit rules (the ones that set
> a flowbit) that should never be set to drop.
> 
> Use Pulled Pork or Oinkmaster to manage your rules and make changes.
> That is all.

Yes, and doing the above will also assure to make sure your network ceases to function.

--
Joel Esler






More information about the Snort-users mailing list