[Oisf-users] Suricata Inline
Victor Julien
lists at inliniac.net
Tue Apr 2 07:21:41 UTC 2013
On 03/24/2013 12:00 AM, john.jones.here at gmail.com wrote:
> I've just installed Suricata in inline mode and have confirmed that it
> is working OK by testing my own drop rule.
> I'm new to IPS and I'm a little confused.
> At present I have been updating the rule files using Oinkmaster which is
> also running fine.
> The vast majority of rules defined seem to have the action 'alert'. Do I
> need to individually modify rules to 'drop' via Oinkmaster before
> Suricata will actively start protecting the network, or is it already
> doing so?
You will need to change the rules yourself. Enabling every rule to drop
would be bad, as there are a lot of "info" rules. Also, not every rule
is fully reliable, so be careful.
Personally (really personally, personal network) I use:
modifysid dos.rules, exploit.rules, malware.rules, \
rbn-malvertisers.rules, scan.rules, trojan.rules, \
user_agents.rules, virus.rules, worm.rules \
"^alert (.*)" | "drop ${1}"
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list