[Oisf-users] Suricata not blocking bad traffic

[Victor Julien]

We recommend suricata-update:

http://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules

and

http://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-convert-rules-to-drop-drop-conf

On 10-07-18 14:48, Leonard wrote:
> You want to use one of signature management tools that can automatically
> manage the signatures that can set the actions you want.  See the
> Suricata docs.
> 
> On Jul 10, 2018, at 7:31 AM, gatodiablo at protonmail.com
> <mailto:gatodiablo at protonmail.com> wrote:
> 
>> Ok. It's easy enough to use sed to change the alerts to drops, but
>> what about the next time updated rules are downloaded? I would have to
>> change them again. I use emerging threat rules and they all appear to
>> be alert only. Surely there is an simpler way to solve this?
>>
>>
>> Sent from ProtonMail mobile
>>
>>
>>
>> -------- Original Message --------
>> On Jul 9, 2018, 1:08 PM, Andreas Herz < andi at geekosphere.org
>> <mailto:andi at geekosphere.org>> wrote:
>>
>>
>>     On 08/07/18 at 21:58, gatodiablo at protonmail.com
>>     <mailto:gatodiablo at protonmail.com> wrote:
>>     > Alert I think. Do I need a different set of rules to run in IPS
>>     mode? I ideally want it to both alert and drop anything that
>>     matches a rule.
>>
>>     Yes you need to change the action keyword from 'alert' to 'drop' or it
>>     won't be dropped/blocked. You will still get an "alert" message as
>>     well
>>     which also mentiones the drop.
>>
>>     -- 
>>     Andreas Herz
>>     _______________________________________________
>>     Suricata IDS Users mailing list:
>>     oisf-users at openinfosecfoundation.org
>>     <mailto:oisf-users at openinfosecfoundation.org>
>>     Site: http://suricata-ids.org | Support:
>>     http://suricata-ids.org/support/
>>     List:
>>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>     Conference: https://suricon.net
>>     Trainings: https://suricata-ids.org/training/
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> <mailto:oisf-users at openinfosecfoundation.org>
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> 
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to which they
> are addressed. If you have received this email in error please notify
> Netsecuris management at mgmt at netsecuris.com. Please note that any views
> or opinions presented in this email are solely those of the author and
> do not necessarily represent those of Netsecuris Inc. The integrity and
> security of this message cannot be guaranteed on the Internet
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------