[Snort-users] Pulledpork Modify Rules Automatically

Jim Campbell jim at w4bqp.net
Thu Jun 15 11:10:33 EDT 2017


Thanks for the reply and the pointer to the site. Those instructions 
would allow me to drop specific rules. What I wanted to do is to drop 
any packet that alerted, then except specific rules that I want to 
allow. Something like the inverse of what your site specified. I did 
some searching on the internet and found the following site:


I realize that my original question specified Pulledpork. I wasn't aware 
that Snort being properly configured could do IPS all by itself. Snort 
is now doing what I want it to do.

Thanks again,


On 6/14/2017 9:54 PM, James Lay wrote:
> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
>> Since I last posted here I ended up formatting my hard drive, installing
>> the latest Ubuntu and installing Snort in IPS mode. However, at the end
>> of the tutorial on
>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/  it
>> shows you how to modify the single local rule to drop rather than alert.
>> There is mention of a future page that will tell how to have Pulledpork
>> automatically modify all the rules to drop.
>> My setup is running in inline mode but so far hasn't reported any
>> packets being flagged. I could sure use some help.
>> Thanks,
>> Jim
> Dropsid.conf is where you'll want to look:
> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
> James
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170615/a652b834/attachment.html>

More information about the Snort-users mailing list