[Oisf-users] Suricata not blocking bad traffic
gatodiablo at protonmail.com
gatodiablo at protonmail.com
Tue Jul 10 12:31:14 UTC 2018
Ok. It's easy enough to use sed to change the alerts to drops, but what about the next time updated rules are downloaded? I would have to change them again. I use emerging threat rules and they all appear to be alert only. Surely there is an simpler way to solve this?
Sent from ProtonMail mobile
-------- Original Message --------
On Jul 9, 2018, 1:08 PM, Andreas Herz wrote:
> On 08/07/18 at 21:58, gatodiablo at protonmail.com wrote:
>> Alert I think. Do I need a different set of rules to run in IPS mode? I ideally want it to both alert and drop anything that matches a rule.
>
> Yes you need to change the action keyword from 'alert' to 'drop' or it
> won't be dropped/blocked. You will still get an "alert" message as well
> which also mentiones the drop.
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180710/4edc1465/attachment.html>
More information about the Oisf-users
mailing list