[Oisf-users] [OT] Auto enabling SID drops
Cooper F. Nelson
cnelson at ucsd.edu
Tue Apr 15 17:29:16 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would use oinkmaster and do it by file, instead of by classification,
substituting the 'alert' keyword with 'drop'.
If I wanted to do it by classification I would use sed:
sed -i '/Classification: Misc Attack/^alert/drop/' *.rules
- -Coop
On 4/15/2014 1:57 AM, Phil Daws wrote:
> Hello,
>
> have started to test Suricata for use at work and have a question
> regarding the enabling of rules. Am using the ET ruleset and see
> Suricata alerting on the following:
>
> [1:2500074:3206] ET COMPROMISED Known Compromised or Hostile Host
> Traffic group 38 [Classification: Misc Attack] [Priority: 2]
>
> is there anyway to get specific classifications to automatically drop
> packets ? I know one can add the sid to dropsid.conf but wondered if
> there was another way.
>
> Thanks, Phil
>
>
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTTWxrAAoJEKIFRYQsa8FW1I0IAIE504q1qJBuQoHieLPY95IF
v12AcHPqLwZQRSdzyOUDeA9SwoHNo3tagYBxCEfkBRnTM9pSM2vOvJ/3ZMQ4dip4
U7qEFbSDjCOGTZEkGW7bH4q2Q+rD4GfsUsWCD5Txg0RkXoc70DTNs4J5rqzQ41oL
DJJj+RtZWZIl+QMYn1YlCfUEc+yv8ukl9TwSuW2EjGxfMuzLGSYnqmJodvm3ZzHv
JUo2qhfQNolmbr5o7Fng+Q07D4+YkhH2hSGwgmJX+XVl8QYWb8fZuAa3WRtKo/tu
Wpoaq4As25eJ8M+r/ufed9AjcA2vukv7R6dsZg2qrKwZya5zqavN5ciHIhAQw6c=
=Ul6b
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list