[Snort-users] rules in snort inline

Burks, Doug doug.burks at ...14446...
Tue Jun 15 16:43:39 EDT 2010


Mea culpa.  I saw a sed problem and my fingers automagically banged out
a sed solution without thinking.  (I've always used
Oinkmaster/PulledPork so I've never had the "pleasure" of finding out
what this would actually do).  Sorry for the noise.  
 
Can I get a mulligan?  
 
"I highly recommend PulledPork."
 
:)
 
Regards,

--

Doug Burks, GPEN, GCIA, GSEC, CISSP
http://securityonion.blogspot.com <http://securityonion.blogspot.com/> 


________________________________

From: Crook, Parker [mailto:Parker_Crook at ...14786...] 
Sent: Tuesday, June 15, 2010 4:22 PM
To: Burks, Doug; black_angel black_angel;
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] rules in snort inline



I'm going to point you to use Nigel & Joel & JJ's advice on this one...

 

Furthermore if you want to change some rule from alert to drop, you
should disable the rule (I also recommend Pulled Pork for downloading,
enabling, disabling, etc) and move the rule to your local.rules file
with your changes - make sure you give the rule a new sid number and
update your sid-msg.map file.  That way, when you download the rule
updates you don't overwrite your changes.

 

-Parker

 

________________________________

From: Burks, Doug [mailto:doug.burks at ...14446...] 
Sent: Tuesday, June 15, 2010 3:46 PM
To: black_angel black_angel; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rules in snort inline

 

How about something like this?

 

sed -i 's|^alert |drop |g'  /etc/snort_inline/rules/*.rules

 

Regards,

--

Doug Burks, GPEN, GCIA, GSEC, CISSP
http://securityonion.blogspot.com

 

 

________________________________

From: black_angel black_angel [mailto:black.sad.angel at ...11827...] 
Sent: Tuesday, June 15, 2010 3:34 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] rules in snort inline

hey everybody,
i try to change all the rules for my snort inline from mode "alert" to
"drop" i used this script but it doesn't work correctly:



cd /etc/snort_inline/rules/
for file in $(ls -1 *.rules)
do
               sed -e 's:^alert:drop:g' ${file} > ${file}.new
               mv ${file}.new ${file} -f

done
if someone have another script or any idea

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100615/ff3132bc/attachment.html>


More information about the Snort-users mailing list