[Oisf-users] Rule being alerted even though is is disabled.
Andreas Herz
aherz at oisf.net
Mon Jan 20 20:05:25 UTC 2020
Hi Todd,
On 27/12/19 at 09:05, Todd Adam wrote:
> and here is what is in /var/lib/suricata/rules/suricata.rules
> # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux
> APT User-Agent Outbound likely related to package management";
> flow:established,to_server; content:"APT-HTTP|2F|"; http_user_agent;
> reference:url,help.ubuntu.com/community/AptGet/Howto;
> classtype:not-suspicious; sid:2013504; rev:5; metadata:created_at
> 2011_08_31, updated_at 2011_08_31;)
Is this the only line with that rule or is there maybe a duplicate where
it's enabled again?
Also how does your rule-file configration look like in the suricata
config?
--
Andreas Herz
More information about the Oisf-users
mailing list