[Snort-users] Switching snort from IDS to IPS mode

Jim Campbell jim at w4bqp.net
Sat Feb 3 08:47:39 EST 2018


I run the following snippet from a shell script to change the rules from 
alert to block. I am running snort 2.9.9.0 inline (IPS) under Ubuntu 17.04.

echo "Change 'alert' to 'block' for snort.rules ========================"
sudo awk '{sub("alert","block",$0); print;}' 
/etc/snort/rules/snort.rules > /etc/snort/rules/snortd.rules


On 2/3/2018 6:42 AM, bobby via Snort-users wrote:
> I am running Snort inline.  I am running Linux.
> What would be the easiest way to replace all rules with drop from 
> alert?  Would I have to run a script to modify each rule, or is there 
> an easier way?
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180203/fc8c83be/attachment.html>


More information about the Snort-users mailing list