[Snort-users] Sourcefire VRT Rules and Snort Active Response
Jason D. McCormick
jasonmc at ...15309...
Mon Jun 20 16:29:27 EDT 2011
>> I am correct in my understanding that when executed this
>> way the Sourcefire VRT rulesets will not actively
>> response since Snort isn't operating in inline mode, yes?
> Snort can still send active responses in IDS mode, so make
> sure that this line or similar is commented out of your
> # config response: eth0 attempts 2.
Yes it is, and that's how it comes from Sourcefire in the VRT ruleset too. I just wanted to make sure there wasn't some other "default" value that made this still work with that line commented out (as opposed to set to 0 or something). Sounds like I'm good then?
More information about the Snort-users