[Oisf-users] Configure Suricata drop rule to drop whole source

Cooper F. Nelson cnelson at ucsd.edu
Fri Aug 22 17:54:30 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You are telling suricata to only drop traffic for 10 seconds via the
threshold rule.  You probably shouldn't use thresholding for 'drop'
rules unless you are trying to drop floods/DOS or attempting to do some
kind of rate-shaping.

If you really want to drop all port 80 traffic try this rule:

> drop tcp any any -> any 80 (msg:"Local DROP Tcp port 80"; flow:from_client; sid:1;)

- -Coop

On 8/22/2014 10:43 AM, First Root | Michael wrote:
> Hello Cooper,
> 
> thanks for your response. 
> it is not the case that i simply want to drop specific traffic, but this
> was the easiest way to show what my problem is ;).
> 
> Is there any way to define how long the drop is valid as i asked in my
> last email?
> 
> Regards
> Michael
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJT94PWAAoJEKIFRYQsa8FWp8UH/RWO+FcP2sUQTz1mlZGSLGdX
h1BegeuX4GZOzMISjFwkxQ5V+2oqIiZQKwOj1R7TxHBaoNOiawz0ZYlmnq3afwbO
FmPNLHNzLwJEUzzxoG4PIRabwCUQISpTxc/aVITO0u2OQ7GyBzgeVDt+gWX5ycS2
ZpROQjJjM3Chv6z3RMJ6pQhd501Y3WGiyEffECsIqK44eNQXx8k8mswrQcW4TYq5
GvjkLHubxmk006LI1Dpy5SHkN3Q3ONBbgkTJC7JanTC1ZQrmnY0dC3OEqyxXQxFL
H+nyJFjLZmrpDOuVLfGL3/X5b1HiTTTFu9SFOdJHlRELPT4Kx0sBbhuGwa9UYZs=
=KBBj
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list