[Oisf-users] Suricata not blocking bad traffic

Leonard ljacobs at netsecuris.com
Tue Jul 10 13:38:56 UTC 2018 

Victor,

What makes this tool or method better than the other tools out there?  Just curious.

Thanks.

Leonard

> On Jul 10, 2018, at 8:28 AM, Victor Julien <lists at inliniac.net> wrote:
> 
> We recommend suricata-update:
> 
> http://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules
> 
> and
> 
> http://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-convert-rules-to-drop-drop-conf
> 
>> On 10-07-18 14:48, Leonard wrote:
>> You want to use one of signature management tools that can automatically
>> manage the signatures that can set the actions you want.  See the
>> Suricata docs.
>> 
>> On Jul 10, 2018, at 7:31 AM, gatodiablo at protonmail.com
>> <mailto:gatodiablo at protonmail.com> wrote:
>> 
>>> Ok. It's easy enough to use sed to change the alerts to drops, but
>>> what about the next time updated rules are downloaded? I would have to
>>> change them again. I use emerging threat rules and they all appear to
>>> be alert only. Surely there is an simpler way to solve this?
>>> 
>>> 
>>> Sent from ProtonMail mobile
>>> 
>>> 
>>> 
>>> -------- Original Message --------
>>> On Jul 9, 2018, 1:08 PM, Andreas Herz < andi at geekosphere.org
>>> <mailto:andi at geekosphere.org>> wrote:
>>> 
>>> 
>>>    On 08/07/18 at 21:58, gatodiablo at protonmail.com
>>>    <mailto:gatodiablo at protonmail.com> wrote:
>>>> Alert I think. Do I need a different set of rules to run in IPS
>>>    mode? I ideally want it to both alert and drop anything that
>>>    matches a rule.
>>> 
>>>    Yes you need to change the action keyword from 'alert' to 'drop' or it
>>>    won't be dropped/blocked. You will still get an "alert" message as
>>>    well
>>>    which also mentiones the drop.
>>> 
>>>    -- 
>>>    Andreas Herz
>>>    _______________________________________________
>>>    Suricata IDS Users mailing list:
>>>    oisf-users at openinfosecfoundation.org
>>>    <mailto:oisf-users at openinfosecfoundation.org>
>>>    Site: http://suricata-ids.org | Support:
>>>    http://suricata-ids.org/support/
>>>    List:
>>>    https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> 
>>>    Conference: https://suricon.net
>>>    Trainings: https://suricata-ids.org/training/
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> <mailto:oisf-users at openinfosecfoundation.org>
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> 
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>> 
>> 
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to which they
>> are addressed. If you have received this email in error please notify
>> Netsecuris management at mgmt at netsecuris.com. Please note that any views
>> or opinions presented in this email are solely those of the author and
>> do not necessarily represent those of Netsecuris Inc. The integrity and
>> security of this message cannot be guaranteed on the Internet
>> 
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>> 
> 
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180710/262da8f4/attachment-0001.html>

More information about the Oisf-users mailing list