[Oisf-users] deciding what to drop in suricata IPS
Oliver Humpage
oliver at watershed.co.uk
Mon Dec 12 10:26:18 UTC 2016
> On 9 Dec 2016, at 22:13, Vieri <rentorbuy at yahoo.com> wrote:
>
> fast.log has messages such as:
>
> 12/09/2016-22:46:31.396745 [**] [1:2500016:4174] ET COMPROMISED Known Compromised or Hostile Host Traffic group 9 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 1.2.3.4:51499 -> 10.215.144.91:22
>
> but nothing in drop.log.
By default the Emerging Threats rules are set only to alert, not to block.
I put this in my oinkmaster.conf:
modifysid emerging-exploit.rules, …, emerging-trojan.rules "^\s*alert" | “drop"
Which changes all rules in those files to drop. I suspect you can also run modifysid on individual SID numbers.
Oliver.
More information about the Oisf-users
mailing list