[Snort-users] Restart snort inline without traffic loss?

waldo kitty wkitty42 at ...14940...
Thu Feb 7 14:09:54 EST 2013


On 2/7/2013 12:55, Andy wrote:
> Thanks for all the replies, I am still confused by the rules I am getting
> with pulledpork, every rule is an alert, none are a drop, so if I want snort
> to drop bad traffic what do I do? If I manually change an alert rule to a
> drop rule it will get overwritten on the next download, have I missed
> something?

you have obviously missed my earlier reply stating that yes, all distributed 
rules are 'alert' rules and that you need to configure pulledpork to change them 
to drop rules... if pulledpork is as much like oinkmaster as i think it may be, 
then there should be a mechanism where you tell it to modifysid the rules you 
want changed to 'drop' rules...






More information about the Snort-users mailing list