[Oisf-users] Suricata rules default action

Andreas Herz aherz at oisf.net
Sat Nov 23 22:30:16 UTC 2019


On 12/11/19 at 03:08, Raz Muhammad wrote:
> 1. If one is planning to deploy Suricata as an IPS, then there should be a
> more stringent ruleset to apply. The general suricata.rules file results as
> an IDS, unless one manually configured the rule action to drop.

What is your question for that one :)?

> 2. What is the best way to set certain rule categories action to drop?

Convert those you want from alert to drop keyword.

> 3. Oinkmaster or suricata-update which tool should be used?

We recommend suricata-update.

Running as IPS is much more invasive and requires more knowledge about
the different rulesets.

Andreas Herz

More information about the Oisf-users mailing list