[Oisf-users] deciding what to drop in suricata IPS

Oliver Humpage oliver at watershed.co.uk
Mon Dec 12 10:26:18 UTC 2016

> On 9 Dec 2016, at 22:13, Vieri <rentorbuy at yahoo.com> wrote:
> fast.log has messages such as:
> 12/09/2016-22:46:31.396745  [**] [1:2500016:4174] ET COMPROMISED Known Compromised or Hostile Host Traffic group 9 [**] [Classification: Misc Attack] [Priority: 2] {TCP} ->
> but nothing in drop.log.

By default the Emerging Threats rules are set only to alert, not to block.

I put this in my oinkmaster.conf:

modifysid emerging-exploit.rules, …, emerging-trojan.rules  "^\s*alert" | “drop"

Which changes all rules in those files to drop. I suspect you can also run modifysid on individual SID numbers.


More information about the Oisf-users mailing list