<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 3, 2018 at 12:42 PM, bobby via Snort-users <span dir="ltr"><<a href="mailto:snort-users@lists.snort.org" target="_blank">snort-users@lists.snort.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I am running Snort inline.  I am running Linux. <br></div>What would be the easiest way to replace all rules with drop from alert?  Would I have to run a script to modify each rule, or is there an easier way? <br></div></blockquote><div><br></div><div>Use pulledpork to manage the rules <a href="http://seclists.org/snort/2017/q2/171">http://seclists.org/snort/2017/q2/171</a> <a href="http://seclists.org/snort/2015/q2/366">http://seclists.org/snort/2015/q2/366</a></div><div><br></div><div>Marcin</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 2, 2018 at 10:13 PM,  <span dir="ltr"><<a href="mailto:wkitty42@windstream.net" target="_blank">wkitty42@windstream.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On 02/02/2018 06:56 PM, bobby via Snort-users wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I would like to switch Snort from IDS to IPS mode.  Is this done only by modifying the rules, from alert, to drop status, or is there an easier,<br>
better way of accomplishing this?<br>
</blockquote>
<br></span>
IIUC, modifying the rules to drop as well as running inline... you have to be inline for snort to be able to control the connections and drop the ones you don't want...<br>
<br>
<br>
-- <br>
 NOTE: No off-list assistance is given without prior approval.<br>
       *Please keep mailing list traffic on the list unless*<br>
       *a signed and pre-paid contract is in effect with us.*<br>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org" target="_blank">Snort-users@lists.snort.org</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.snort.org/mailman/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.snort.org/mailma<wbr>n/listinfo/snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
<br>
Please follow these rules: <a href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" target="_blank">https://snort.org/faq/what-is-<wbr>the-mailing-list-etiquette</a><br>
</blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.snort.org/mailman/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
<br>
Please follow these rules: <a href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" target="_blank">https://snort.org/faq/what-is-<wbr>the-mailing-list-etiquette</a><br>
<br></blockquote></div><br></div></div>