[Snort-users] Pulledpork Modify Rules Automatically

Jim Campbell jim at w4bqp.net
Thu Jun 15 11:10:33 EDT 2017


James,

Thanks for the reply and the pointer to the site. Those instructions 
would allow me to drop specific rules. What I wanted to do is to drop 
any packet that alerted, then except specific rules that I want to 
allow. Something like the inverse of what your site specified. I did 
some searching on the internet and found the following site:

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf

I realize that my original question specified Pulledpork. I wasn't aware 
that Snort being properly configured could do IPS all by itself. Snort 
is now doing what I want it to do.

Thanks again,

Jim

On 6/14/2017 9:54 PM, James Lay wrote:
> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
>> Since I last posted here I ended up formatting my hard drive, installing
>> the latest Ubuntu and installing Snort in IPS mode. However, at the end
>> of the tutorial on
>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/  it
>> shows you how to modify the single local rule to drop rather than alert.
>> There is mention of a future page that will tell how to have Pulledpork
>> automatically modify all the rules to drop.
>>
>> My setup is running in inline mode but so far hasn't reported any
>> packets being flagged. I could sure use some help.
>>
>> Thanks,
>>
>> Jim
>>
>
> Dropsid.conf is where you'll want to look:
>
> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
>
> James
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170615/a652b834/attachment.html>


More information about the Snort-users mailing list