[Oisf-users] suri-update: order of application of rules

Russell Fulton r.fulton at auckland.ac.nz
Mon Jun 11 21:26:20 UTC 2018


Can one specify the order of application of enable, disable and modify rules as one could in pulled pork(PP)?

In our environment (a large very open network) most of the policy rules are far too noisy to be useful but there are a few that we want to use.  What I did with PP was to set the processing order to disable, enable, modify and then disable all Policy sigs and enable just those I wanted. 

I have realised that, since I moved to suricata-update I am not seeing any of the policy sigs firing.  This became obvious last week when we discovered a crypto mining operation running in one of our labs  ;) which triggered no alerts and was not ‘discovered’ until users started complaining about performance.

So two questions:  What order does suricata-update use by default and can we change it?

I looked into this a while back including examining the source but did not reach a definitive conclusion but never got to follow it up

Russell


More information about the Oisf-users mailing list