[Oisf-users] Suricata not blocking bad traffic

Michael Shirk shirkdog.bsd at gmail.com
Tue Jul 10 13:50:05 UTC 2018


As the maintainer of pulledpork, I can state that pulledpork
"can/does" work for suricata rule update. But suricata-update has been
built to specifically work with suricata and its features, and is the
recommended solution for rule management.

On Tue, Jul 10, 2018 at 9:38 AM, Leonard <ljacobs at netsecuris.com> wrote:
> Victor,
>
> What makes this tool or method better than the other tools out there?  Just
> curious.
>
> Thanks.
>
> Leonard
>
>> On Jul 10, 2018, at 8:28 AM, Victor Julien <lists at inliniac.net> wrote:
>>
>> We recommend suricata-update:
>>
>>
>> http://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules
>>
>> and
>>
>>
>> http://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-convert-rules-to-drop-drop-conf
>>
>>> On 10-07-18 14:48, Leonard wrote:
>>> You want to use one of signature management tools that can automatically
>>> manage the signatures that can set the actions you want.  See the
>>> Suricata docs.
>>>
>>> On Jul 10, 2018, at 7:31 AM, gatodiablo at protonmail.com
>>> <mailto:gatodiablo at protonmail.com> wrote:
>>>
>>>> Ok. It's easy enough to use sed to change the alerts to drops, but
>>>> what about the next time updated rules are downloaded? I would have to
>>>> change them again. I use emerging threat rules and they all appear to
>>>> be alert only. Surely there is an simpler way to solve this?
>>>>
>>>>
>>>> Sent from ProtonMail mobile
>>>>
>>>>
>>>>
>>>> -------- Original Message --------
>>>> On Jul 9, 2018, 1:08 PM, Andreas Herz < andi at geekosphere.org
>>>> <mailto:andi at geekosphere.org>> wrote:
>>>>
>>>>
>>>>    On 08/07/18 at 21:58, gatodiablo at protonmail.com
>>>>    <mailto:gatodiablo at protonmail.com> wrote:
>>>>> Alert I think. Do I need a different set of rules to run in IPS
>>>>    mode? I ideally want it to both alert and drop anything that
>>>>    matches a rule.
>>>>
>>>>    Yes you need to change the action keyword from 'alert' to 'drop' or
>>>> it
>>>>    won't be dropped/blocked. You will still get an "alert" message as
>>>>    well
>>>>    which also mentiones the drop.
>>>>
>>>>    --
>>>>    Andreas Herz
>>>>    _______________________________________________
>>>>    Suricata IDS Users mailing list:
>>>>    oisf-users at openinfosecfoundation.org
>>>>    <mailto:oisf-users at openinfosecfoundation.org>
>>>>    Site: http://suricata-ids.org | Support:
>>>>    http://suricata-ids.org/support/
>>>>    List:
>>>>    https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>>    Conference: https://suricon.net
>>>>    Trainings: https://suricata-ids.org/training/
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> <mailto:oisf-users at openinfosecfoundation.org>
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>> Conference: https://suricon.net
>>>> Trainings: https://suricata-ids.org/training/
>>>
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to which they
>>> are addressed. If you have received this email in error please notify
>>> Netsecuris management at mgmt at netsecuris.com. Please note that any views
>>> or opinions presented in this email are solely those of the author and
>>> do not necessarily represent those of Netsecuris Inc. The integrity and
>>> security of this message cannot be guaranteed on the Internet
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://surica
> ta-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> If you have received this email in error please notify Netsecuris management
> at mgmt at netsecuris.com. Please note that any views or opinions presented in
> this email are solely those of the author and do not necessarily represent
> those of Netsecuris Inc. The integrity and security of this message cannot
> be guaranteed on the Internet
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com


More information about the Oisf-users mailing list