Snort: With or Without Auto Blocking?

  • Is there any point in running snort without automatically blocking "offenders"?  I'm getting a lot of false positives from my international users (with dynamic IPs), and I don't want to deny them email/website access.

  • Without block its more like an infometer. You can check out the ip´s and so on of the one´s trying to get to your network. But if it is saftey your worried about, I think that the pf sense does a good job of protecting you anyway!

  • Kinda reviving this thread but is it possible de choose what rules should trigger a block ? Right now it seems by default every single alert creates a block which means there is ALOT of false positives so activating the auto block is just suicide.

    It also seems impossible to edit the basic rules for http_inspecter and ftp because they get overwritten each time you restart the service, you can add stuff in the configuration form but you can't edit section that are already in the default conf. (thinking about the "http_inspect: NON-RFC DEFINED CHAR" that alot of people are getting)

    Thanks !

Log in to reply