The Internet is full of instructions on how to install Snort. The result of all the instructions is that Snort works great in default configuration (IDS-Mode = Detect Only).
However, I would like Snort not only to detect suspicious traffic, but also to block it away immediately (IPS-Mode = Detect & Prevent).
The previous way to do this was to simply rewrite the rules from Alert to Drop. But is that correct?
grep -rl "alert " /etc/snort/rules/. | xargs sed -i 's/alert /drop /g'
I am grateful for recommendations and best practises.
I found this Slide from 2013. Maybe that will give you some clues.
