[Oisf-users] Pass and Drop

Will Metcalf william.metcalf at gmail.com
Thu Jun 17 12:19:44 UTC 2010


> The rules should alert or drop based on an specific attack, otherwise,
> if no rule matched, suricata let it pass, am I right? In that case,
> traffic should pass at least an attack is detected, right?

Yes, to answer both questions... At this point, I think we are all
saying the same thing ;-)...

Regards,

Will

On Wed, Jun 16, 2010 at 8:36 AM, Martin Spinassi
<martins.listz at gmail.com> wrote:
> On Tue, 2010-06-15 at 13:19 -0400, Brant Wells wrote:
>
>> Hey Guys.,
>>
>>
>> I've been following this discussion this morning but haven't had a
>> chance to reply...
>>
>> If you want to let Suricata pass traffic from your HOME_NET, then why
>> add any rules at all?  You can still what is being done to that host
>> via the HTTP logs (both from Suricata and on that host itself).  Then,
>> you are free to add any rules that you need in order to detect actual
>> attacks...  Or am I misinterpreting what you are trying to accomplish?
>>
>>
>> See Yas!
>> ~Brant
>
> Hello Brant,
>
> Thanks, I think your mail clarified my question.
>
> The rules should alert or drop based on an specific attack, otherwise,
> if no rule matched, suricata let it pass, am I right? In that case,
> traffic should pass at least an attack is detected, right?
>
> Best regards,
>
> Martin
>
>
>



More information about the Oisf-users mailing list