[Oisf-users] oinkmaster.conf to suricata-update files
Jeff Dyke
jeff.dyke at gmail.com
Thu Feb 21 18:47:53 UTC 2019
Very hesitant to ask another question after i forgot to check permissions :)
Anyway. In oinkmaster.conf i have
define_template make_drop "^alert" | "drop"
use_template make_drop drop.rules, tor.rules, ciarmy.rules,
compromised.rules, emerging-scan.rules, emerging-malware.rules,
dshield.rules
This is designed to drop everything that is not commented out, but if i add
emerging-scan.rules to drop.conf, suricata-update seems to process the drop
file last, so i'm looking for an analogous way to support converting alerts
to drops only if they are not commented out. The biggest issue i have is
that the commented out rules in this file, include same source/destination
and local calls sids 2100528 and 2100527, which i have in disable.conf, but
that is processed before drop.conf
In the example above, i was able to support anything that the maintainers
felt didn't need to be in the file.
Thanks again,
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190221/27e10d40/attachment.html>
More information about the Oisf-users
mailing list