[Snort-users] Pulledpork Modify Rules Automatically

James Lay jlay at slave-tothe-box.net
Thu Jun 15 14:08:06 EDT 2017


Excellent! 

James 

On 2017-06-15 09:10, Jim Campbell wrote:

> James,
> 
> Thanks for the reply and the pointer to the site. Those instructions would allow me to drop specific rules. What I wanted to do is to drop any packet that alerted, then except specific rules that I want to allow. Something like the inverse of what your site specified. I did some searching on the internet and found the following site:
> 
> https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf
> 
> I realize that my original question specified Pulledpork. I wasn't aware that Snort being properly configured could do IPS all by itself. Snort is now doing what I want it to do.
> 
> Thanks again,
> 
> Jim
> 
> On 6/14/2017 9:54 PM, James Lay wrote: 
> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote: 
> 
> Since I last posted here I ended up formatting my hard drive, installing 
> the latest Ubuntu and installing Snort in IPS mode. However, at the end 
> of the tutorial on 
> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it 
> shows you how to modify the single local rule to drop rather than alert. 
> There is mention of a future page that will tell how to have Pulledpork 
> automatically modify all the rules to drop.
> 
> My setup is running in inline mode but so far hasn't reported any 
> packets being flagged. I could sure use some help.
> 
> Thanks,
> 
> Jim
> 
> Dropsid.conf is where you'll want to look: 
> 
> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf 
> 
> James 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news! 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170615/8ee362d6/attachment.html>


More information about the Snort-users mailing list