With the new snort being downloaded in full for every IPS update, will we receive a mail notification about snort restarting, so far today I have received 2 notifications?
we can run it in IDS mode, than you only get warnings, yet traffic is not blocked, and we can run it in IPS mode, where traffic gets dropped. You can configure the behavior in the "Action" field in the "attack pattern" tab.
regarding the update size. We are utilizing Patch-RPM-Updates, this means that we only send out the diff between the current pattern set and new one. If only some pattern changed, than only these pattern get updated. Yet if the engine and pattern changes, than we update both.
The reason for that is that the snort engine is constantly evolving with new mechanism as well as the inclusion of so called 'so-rules' which are detection code in binary so-libraries. These are used for recent Microsoft Vulnerabilities and as part of the MAPP license agreement you are required to distribute information you received via MAPP only in compiled format.
thank you for the explanation and the update. My patterns are now all drop, they were terminate, not sure why they changed, unless the default is terminate and during the last rebuild I didn't change them?
