[Oisf-users] oinkmaster.conf to suricata-update files
Jason Ish
jason.ish at oisf.net
Mon Feb 25 00:10:34 UTC 2019
On 2019-02-21 12:47 p.m., Jeff Dyke wrote:
> Very hesitant to ask another question after i forgot to check permissions :)
Don't be :)
>
> Anyway. In oinkmaster.conf i have
>
> define_template make_drop "^alert" | "drop"
>
> use_template make_drop drop.rules, tor.rules, ciarmy.rules, compromised.rules, emerging-scan.rules, emerging-malware.rules, dshield.rules
>
> This is designed to drop everything that is not commented out, but if i
> add emerging-scan.rules to drop.conf, suricata-update seems to process
> the drop file last, so i'm looking for an analogous way to support
> converting alerts to drops only if they are not commented out. The
> biggest issue i have is that the commented out rules in this file,
> include same source/destination and local calls sids 2100528 and
> 2100527, which i have in disable.conf, but that is processed before
> drop.conf
>
> In the example above, i was able to support anything that the
> maintainers felt didn't need to be in the file.
I can't think off-hand of an easy way to replicate this feature from
Oinkmaster, I'm actually not familiar with it from Oinkmaster either but
can't say I've used it much.
I think its worth opening a ticket for. Even if its resolvable without
code changes, it would probably still make a good documentation addition.
Thanks,
Jason
More information about the Oisf-users
mailing list