[Oisf-users] [FORGED] suri-update: order of application of rules

Russell Fulton r.fulton at auckland.ac.nz
Mon Jun 11 21:28:59 UTC 2018


Dam!  i did follow it up and Jason responded :). 

Apologies for the noise, I am doing far too many things at once.

Russell

> On 12/06/2018, at 9:26 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> 
> Can one specify the order of application of enable, disable and modify rules as one could in pulled pork(PP)?
> 
> In our environment (a large very open network) most of the policy rules are far too noisy to be useful but there are a few that we want to use.  What I did with PP was to set the processing order to disable, enable, modify and then disable all Policy sigs and enable just those I wanted. 
> 
> I have realised that, since I moved to suricata-update I am not seeing any of the policy sigs firing.  This became obvious last week when we discovered a crypto mining operation running in one of our labs  ;) which triggered no alerts and was not ‘discovered’ until users started complaining about performance.
> 
> So two questions:  What order does suricata-update use by default and can we change it?
> 
> I looked into this a while back including examining the source but did not reach a definitive conclusion but never got to follow it up
> 
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



More information about the Oisf-users mailing list