[Oisf-users] Rule being alerted even though is is disabled.

Andreas Herz aherz at oisf.net
Mon Jan 20 20:05:25 UTC 2020

Hi Todd,

On 27/12/19 at 09:05, Todd Adam wrote:
> and here is what is in /var/lib/suricata/rules/suricata.rules
> # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux
> APT User-Agent Outbound likely related to package management";
> flow:established,to_server; content:"APT-HTTP|2F|"; http_user_agent;
> reference:url,help.ubuntu.com/community/AptGet/Howto;
> classtype:not-suspicious; sid:2013504; rev:5; metadata:created_at
> 2011_08_31, updated_at 2011_08_31;)

Is this the only line with that rule or is there maybe a duplicate where
it's enabled again?

Also how does your rule-file configration look like in the suricata

Andreas Herz

More information about the Oisf-users mailing list