[Oisf-users] Suricata rules default action

Raz Muhammad raz.muhammad at gmail.com
Tue Nov 12 03:08:18 UTC 2019


I have been playing around with Suricata and managed to get it working in
IPS mode on a raspberry pi. What I found is that majority of the rules in
the surictata.rules file are configured with "Alert" action. Some of the
rules there are obvious candidates for "Drop" action.

I have couple of questions:
1. If one is planning to deploy Suricata as an IPS, then there should be a
more stringent ruleset to apply. The general suricata.rules file results as
an IDS, unless one manually configured the rule action to drop.

2. What is the best way to set certain rule categories action to drop?

3. Oinkmaster or suricata-update which tool should be used?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191112/eb5f4686/attachment.html>

More information about the Oisf-users mailing list