[Oisf-users] suricata update modify

Jason Ish ish at unx.ca
Mon Oct 22 15:27:06 UTC 2018


On Fri, Oct 19, 2018 at 10:44 AM Slava Bendersky <volga629 at networklab.ca>
wrote:

> Hello Jason,
> Thank you, you solution is helped resolve the issue.
> As side note. When matched traffic is marked is it make sense set it as
> DROP in rule action ? Or just let firewall put  source ip in ipset with
> timeout and then just drop.
>

I'm not really sure whats best, I'm not a user of IPS mode myself. However,
I'd be cautious about setting all rules drop. That might lead to dropping
some legitimate traffic triggering as false positives as well.

I hope someone else can chime in on your question.

Jason


>
> Slava.
>
> ------------------------------
> *From: *"Jason Ish" <ish at unx.ca>
> *To: *"oisf-users" <oisf-users at lists.openinfosecfoundation.org>
> *Sent: *Thursday, October 18, 2018 2:37:49 PM
> *Subject: *Re: [Oisf-users] suricata update modify
>
> Hi Slava,
>
> On Thu, Oct 18, 2018 at 5:58 AM Slava Bendersky <volga629 at networklab.ca>
> wrote:
>
>> Hello Everyone,
>> Can't figure out how to insert nfq connection mark in  drop rules
>> in /etc/suricata/modify.conf.
>> First one works, second incorrect.
>> Any help thank you.
>>
>> re:. ^alert drop
>> re:. ";)$" "; nfq_set_mark:0x2\/0xffffffff;)"
>>
>
> In your second line you'll have to escape the ')' as its not part of a
> regular expression grouping, so this will have it looking like:
>
> re:. ";\)$" "; nfq_set_mark:0x2\/0xffffffff;)"
>
> Also, in your "to" expression you should not be escaping the "/", this
> will result in a rule that won't be loaded by Suricata. So what I think you
> are looking for is:
>
> re:. ";\)$" "; nfq_set_mark:0x2/0xffffffff;)"
>
> Hope that helps,
> Jason
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181022/ebfee9c9/attachment.html>


More information about the Oisf-users mailing list