[Snort-users] rules in snort inline

Paul Schmehl pschmehl_lists at ...14358...
Tue Jun 15 18:09:21 EDT 2010


--On Tuesday, June 15, 2010 16:01:31 -0400 Joel Esler <jesler at ...1935...> 
wrote:

> On Jun 15, 2010, at 3:52 PM, Nigel Houghton wrote:
>> On Tue, Jun 15, 2010 at 3:33 PM, black_angel black_angel
>> <black.sad.angel at ...11827...> wrote:
>>> hey everybody,
>>> i try to change all the rules for my snort inline from mode "alert" to
>>> "drop" i used this script but it doesn't work correctly:
>>>
>>> cd /etc/snort_inline/rules/
>>>
>>> for file in $(ls -1 *.rules)
>>>
>>> do
>>>
>>>                sed -e 's:^alert:drop:g' ${file} > ${file}.new
>>>
>>>                mv ${file}.new ${file} -f
>>>
>>> done
>>> if someone have another script or any idea
>>>
>>>
>>
>>
>> Don't do that, any of you. There are flowbit rules (the ones that set
>> a flowbit) that should never be set to drop.
>>
>> Use Pulled Pork or Oinkmaster to manage your rules and make changes.
>> That is all.
>
> Yes, and doing the above will also assure to make sure your network ceases to
> function.

Some have recommended to us, on more than one occasion, that causing the 
network to cease to function would help secure the university against attack. 
Perhaps the OP had that in mind???  :-)

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-users mailing list