[Oisf-users] How do I get IPF mode to, well, P?
Andreas Herz
andi at geekosphere.org
Wed Mar 9 19:33:01 UTC 2016
On 09/03/16 at 11:06, James Moe wrote:
> On 03/04/2016 05:06 PM, Andreas Herz wrote:
> >> > I see this in <fast.log>, thinking the packet should be dropped:
> >> > 03/04/2016-13:34:38.972801 [**] [1:2402000:3998] ET DROP Dshield Block
> >> > Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2]
> >> > {TCP} 185.130.5.98:43578 -> 192.168.69.246:587
> >
> > Did you convert the alert rule to a drop rule?
> > I guess not as the DROP in front of the [**] is missing.
> >
> Looking at this more I realize I do not know what you mean by
> "converting" the rule. It is not simply changing the word "alert" to
> "drop"; the rules file would be overwritten each time it is updated.
> How do I permanently convert a rule from alert to drop?
What do you use to update them?
I have a small script, others use pulledpork or oinkmaster for that
purpose.
--
Andreas Herz
More information about the Oisf-users
mailing list