[Oisf-users] Suricata not blocking bad traffic

Tue Jul 10 14:26:35 UTC 2018

On 10-07-18 15:50, Michael Shirk wrote:
> As the maintainer of pulledpork, I can state that pulledpork
> "can/does" work for suricata rule update. But suricata-update has been
> built to specifically work with suricata and its features, and is the
> recommended solution for rule management.

Let me add to what Michael said that we also introduced an easy way to
discover and enable other rule sets through the rule index. See the
original announcement:
https://suricata-ids.org/2017/12/05/announcing-suricata-update/

Cheers,
Victor

> On Tue, Jul 10, 2018 at 9:38 AM, Leonard <ljacobs at netsecuris.com> wrote:
>> Victor,
>>
>> What makes this tool or method better than the other tools out there?  Just
>> curious.
>>
>> Thanks.
>>
>> Leonard
>>
>>> On Jul 10, 2018, at 8:28 AM, Victor Julien <lists at inliniac.net> wrote:
>>>
>>> We recommend suricata-update:
>>>
>>>
>>> http://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules
>>>
>>> and
>>>
>>>
>>> http://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-convert-rules-to-drop-drop-conf
>>>
>>>> On 10-07-18 14:48, Leonard wrote:
>>>> You want to use one of signature management tools that can automatically
>>>> manage the signatures that can set the actions you want.  See the
>>>> Suricata docs.
>>>>
>>>> On Jul 10, 2018, at 7:31 AM, gatodiablo at protonmail.com
>>>> <mailto:gatodiablo at protonmail.com> wrote:
>>>>
>>>>> Ok. It's easy enough to use sed to change the alerts to drops, but
>>>>> what about the next time updated rules are downloaded? I would have to
>>>>> change them again. I use emerging threat rules and they all appear to
>>>>> be alert only. Surely there is an simpler way to solve this?
>>>>>
>>>>>
>>>>> Sent from ProtonMail mobile
>>>>>
>>>>>
>>>>>
>>>>> -------- Original Message --------
>>>>> On Jul 9, 2018, 1:08 PM, Andreas Herz < andi at geekosphere.org
>>>>> <mailto:andi at geekosphere.org>> wrote:
>>>>>
>>>>>
>>>>>    On 08/07/18 at 21:58, gatodiablo at protonmail.com
>>>>>    <mailto:gatodiablo at protonmail.com> wrote:
>>>>>> Alert I think. Do I need a different set of rules to run in IPS
>>>>>    mode? I ideally want it to both alert and drop anything that
>>>>>    matches a rule.
>>>>>
>>>>>    Yes you need to change the action keyword from 'alert' to 'drop' or
>>>>> it
>>>>>    won't be dropped/blocked. You will still get an "alert" message as
>>>>>    well
>>>>>    which also mentiones the drop.
>>>>>
>>>>>    --
>>>>>    Andreas Herz
>>>>>    _______________________________________________
>>>>>    Suricata IDS Users mailing list:
>>>>>    oisf-users at openinfosecfoundation.org
>>>>>    <mailto:oisf-users at openinfosecfoundation.org>
>>>>>    Site: http://suricata-ids.org | Support:
>>>>>    http://suricata-ids.org/support/
>>>>>    List:
>>>>>    https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>
>>>>>    Conference: https://suricon.net
>>>>>    Trainings: https://suricata-ids.org/training/
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> <mailto:oisf-users at openinfosecfoundation.org>
>>>>> Site: http://suricata-ids.org | Support:
>>>>> http://suricata-ids.org/support/
>>>>> List:
>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>
>>>>> Conference: https://suricon.net
>>>>> Trainings: https://suricata-ids.org/training/
>>>>
>>>>
>>>> This email and any files transmitted with it are confidential and
>>>> intended solely for the use of the individual or entity to which they
>>>> are addressed. If you have received this email in error please notify
>>>> Netsecuris management at mgmt at netsecuris.com. Please note that any views
>>>> or opinions presented in this email are solely those of the author and
>>>> do not necessarily represent those of Netsecuris Inc. The integrity and
>>>> security of this message cannot be guaranteed on the Internet
>>>>
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>> Conference: https://suricon.net
>>>> Trainings: https://suricata-ids.org/training/
>>>>
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://surica
>> ta-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
>>
>> This email and any files transmitted with it are confidential and intended
>> solely for the use of the individual or entity to which they are addressed.
>> If you have received this email in error please notify Netsecuris management
>> at mgmt at netsecuris.com. Please note that any views or opinions presented in
>> this email are solely those of the author and do not necessarily represent
>> those of Netsecuris Inc. The integrity and security of this message cannot
>> be guaranteed on the Internet
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> 
> 
> 

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------