[Oisf-users] [FORGED] suri-update: order of application of rules
Russell Fulton
r.fulton at auckland.ac.nz
Mon Jun 11 21:28:59 UTC 2018
Dam! i did follow it up and Jason responded :).
Apologies for the noise, I am doing far too many things at once.
Russell
> On 12/06/2018, at 9:26 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
> Can one specify the order of application of enable, disable and modify rules as one could in pulled pork(PP)?
>
> In our environment (a large very open network) most of the policy rules are far too noisy to be useful but there are a few that we want to use. What I did with PP was to set the processing order to disable, enable, modify and then disable all Policy sigs and enable just those I wanted.
>
> I have realised that, since I moved to suricata-update I am not seeing any of the policy sigs firing. This became obvious last week when we discovered a crypto mining operation running in one of our labs ;) which triggered no alerts and was not ‘discovered’ until users started complaining about performance.
>
> So two questions: What order does suricata-update use by default and can we change it?
>
> I looked into this a while back including examining the source but did not reach a definitive conclusion but never got to follow it up
>
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list