[Snort-users] Sourcefire VRT Rules and Snort Active Response

Jason D. McCormick jasonmc at ...15309...
Mon Jun 20 16:29:27 EDT 2011


>> I am correct in my understanding that when executed this
>> way the Sourcefire VRT rulesets will not actively
>> response since Snort isn't operating in inline mode, yes?

> Snort can still send active responses in IDS mode, so make
> sure that this line or similar is commented out of your
> snort.conf:

> # config response: eth0 attempts 2.

Yes it is, and that's how it comes from Sourcefire in the VRT ruleset too.  I just wanted to make sure there wasn't some other "default" value that made this still work with that line commented out (as opposed to set to 0 or something).  Sounds like I'm good then?

- Jason




More information about the Snort-users mailing list