[Oisf-users] Configure Suricata drop rule to drop whole source
First Root | Michael
mh at first-root.com
Fri Aug 22 15:08:37 UTC 2014
Hello,
we are playing around with some basic drop rules for suricata inline and are running this very basic rule:
drop tcp any any -> any 80 (msg: "drop port 80"; classtype:drop-rule;sid:14051;rev:1; threshold: type both, track by_src, count 10, seconds 10;)
From the logs we can see that it drops the connection but based on the source ip address and source port which is, i think, not what we want as the source port is given by the os and should be random.
So is there a way to configure suricata to keep track of this based on the source ip and not source ip and source port?
Also, is it possible that suricata creates a drop rule for the whole source ip address and not the source ip and source port?
Regards
Michael
More information about the Oisf-users
mailing list