Re: [Snort-inline-users] Signature Set question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> So, I figure that the 'snort_inline.conf' is the one I want, but doing 
> a
> diff with the 'snort.conf' shows that there are some xxx.rules files
> commented out on snort_inline.conf vs. snort.conf and visa versa.
>
> Is there any particular reason for this difference?

Most likely the snort_inline.conf file only includes rulesets that are 
actual attacks (things you want to block).  Informational things, such 
as ICMP, DNS queries, etc you most likely do not want to be modified or 
blocked.
>
> Also, is there a maintained database of snort_inline signature ruleset
> much like the snort signature ruleset database?  Or are they one and 
> the
> same?

One and the same.  The Honeynet Project actually looked at maintaining 
a snort-inline ruleset, but it quickly became obvious that was a 
logistical  nightmare.  Instead, Brian Caswell has developed an 
excellent solution, 'snortconfig'.  It takes a current snort rulebase 
and converts the rules to snortinline, allowing you to convert to a 
'drop/reject/replace'.  This way you can easily keep your snort-inline 
ruleset current.  Learn more at 
http://www.shmoo.com/~bmc/software/snortconfig/.

lance