[Snort-users] Pulledpork Modify Rules Automatically
jim at w4bqp.net
Thu Jun 15 11:10:33 EDT 2017
Thanks for the reply and the pointer to the site. Those instructions
would allow me to drop specific rules. What I wanted to do is to drop
any packet that alerted, then except specific rules that I want to
allow. Something like the inverse of what your site specified. I did
some searching on the internet and found the following site:
I realize that my original question specified Pulledpork. I wasn't aware
that Snort being properly configured could do IPS all by itself. Snort
is now doing what I want it to do.
On 6/14/2017 9:54 PM, James Lay wrote:
> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
>> Since I last posted here I ended up formatting my hard drive, installing
>> the latest Ubuntu and installing Snort in IPS mode. However, at the end
>> of the tutorial on
>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it
>> shows you how to modify the single local rule to drop rather than alert.
>> There is mention of a future page that will tell how to have Pulledpork
>> automatically modify all the rules to drop.
>> My setup is running in inline mode but so far hasn't reported any
>> packets being flagged. I could sure use some help.
> Dropsid.conf is where you'll want to look:
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users