[Snort-users] Pulledpork Modify Rules Automatically
jlay at slave-tothe-box.net
Thu Jun 15 14:08:06 EDT 2017
On 2017-06-15 09:10, Jim Campbell wrote:
> Thanks for the reply and the pointer to the site. Those instructions would allow me to drop specific rules. What I wanted to do is to drop any packet that alerted, then except specific rules that I want to allow. Something like the inverse of what your site specified. I did some searching on the internet and found the following site:
> I realize that my original question specified Pulledpork. I wasn't aware that Snort being properly configured could do IPS all by itself. Snort is now doing what I want it to do.
> Thanks again,
> On 6/14/2017 9:54 PM, James Lay wrote:
> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
> Since I last posted here I ended up formatting my hard drive, installing
> the latest Ubuntu and installing Snort in IPS mode. However, at the end
> of the tutorial on
> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it
> shows you how to modify the single local rule to drop rather than alert.
> There is mention of a future page that will tell how to have Pulledpork
> automatically modify all the rules to drop.
> My setup is running in inline mode but so far hasn't reported any
> packets being flagged. I could sure use some help.
> Dropsid.conf is where you'll want to look:
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
Snort-users mailing list
Snort-users at lists.snort.org
Go to this URL to change user options or unsubscribe:
Please visit http://blog.snort.org to stay current on all the latest
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users