[Oisf-users] (no subject)
Cooper F. Nelson
cnelson at ucsd.edu
Sat Jun 15 15:55:04 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You are doing it wrong.
Best practice is to run all signatures in 'alert' mode by default and
only set rules to 'drop' if they qualify as 'bad traffic' in your
environment.
As a compromise you might consider just enabling drop rules for a
certain classtype. Like in this example from oinkmaster.conf:
> # Example to convert all rules of classtype attempted-admin to 'drop'
> # rules (for Snort_inline only, obviously).
> # modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
- -Coop
On 6/15/2013 3:45 AM, mouna amani wrote:
> when working in IPS mode I changed all the rules to drop
> firt I wanted to do a ping and then send some tcp normal trafic from my
> host1 to my host2 and IPS in the middle
> The ping did not work :( .It is not a bad traffic so I think it should not
> be blocked .
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJRvI5YAAoJEKIFRYQsa8FW8/wIANCKbnwSa9ZPbdAD/kHDUyzB
gtsfcLDbEfjIirUlGzwjxGKr2HeEjXGUV1ZFJdt67AsZRdWdHj555zb2SXfdpqRa
qSucPsVzK92iptZhYRke3QXFONtifATBEBB7zIghBXJ9bROSmCFGSMbPnaDFw9TV
YHayMKPCnxywBlkvplR8Igvx40c5fl1mrNL75erYwwbnxV6mlp4+ZygcnWOmRn3Z
BnjcxECG6Bmco7+wh8sMrQK6DLEZHaVMLLu34HtuecZ6NEIk/Uy7Hku0Z9XIQKtP
8Dxyh+EIQ8hbTik7VO9fVIFFssPRf4CmSAjxPd9/66yXsIg5dWU5sB+8gEcBRKA=
=h6Fz
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list