[Oisf-users] Suricata rules default action
Andreas Herz
aherz at oisf.net
Sat Nov 23 22:30:16 UTC 2019
Hi,
On 12/11/19 at 03:08, Raz Muhammad wrote:
> 1. If one is planning to deploy Suricata as an IPS, then there should be a
> more stringent ruleset to apply. The general suricata.rules file results as
> an IDS, unless one manually configured the rule action to drop.
What is your question for that one :)?
> 2. What is the best way to set certain rule categories action to drop?
Convert those you want from alert to drop keyword.
> 3. Oinkmaster or suricata-update which tool should be used?
We recommend suricata-update.
Running as IPS is much more invasive and requires more knowledge about
the different rulesets.
--
Andreas Herz
More information about the Oisf-users
mailing list