[Oisf-users] Rule being alerted even though is is disabled.

Todd Adam ddotmada at gmail.com
Fri Dec 27 16:05:59 UTC 2019


OK I have set up the ET policy rules to be disabled with this entrance in
the disabled.conf
group:emerging-policy.rules
when I check the rules in /var/lib/suricata/rules/suricata.rules the rules
are disabled but I still get alerts on the policy rules.
This is the alert that I can trigger reliably
12/27/2019-08:40:25.590054  [**] [1:2013504:5] ET POLICY GNU/Linux APT
User-Agent Outbound likely related to package management [**]
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP}
10.2.63.15:45082 -> 151.101.52.204:80
and here is what is in /var/lib/suricata/rules/suricata.rules
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux
APT User-Agent Outbound likely related to package management";
flow:established,to_server; content:"APT-HTTP|2F|"; http_user_agent;
reference:url,help.ubuntu.com/community/AptGet/Howto;
classtype:not-suspicious; sid:2013504; rev:5; metadata:created_at
2011_08_31, updated_at 2011_08_31;)

I don't know why these policy rules keep firing.  I have disabled other
rulesets the same way.  Running 4.1.5.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191227/ae187498/attachment.html>


More information about the Oisf-users mailing list