A question about snort?
I wonder how snort blocks a host?
Does it write a temporary rule or with a package TCP_END?
One more question?
Can I, automaticly update rules from another site (not snort.org)?
Go to diagnostics>edit file and open /tmp/rules.debug. This is the pf configuration that is loaded. You'll see a section there where snort can add block items to the ruleset. It generates firewall block rules dynamically for offenders.
There is no option to load rules from somewhere else than snort.org currently.
Thanks for reply…