[Oisf-users] signature action drop instead of alert
Vieri
rentorbuy at yahoo.com
Fri Jan 24 11:46:12 UTC 2020
On Friday, January 24, 2020, 8:58:01 AM GMT+1, Vieri <rentorbuy at yahoo.com> wrote:
>
>> I'm using Suricata 5.0.1, and I'm getting lots of "drops" for several SURICATA STREAM signatures.
>
> In general you don't want to convert those rules to drop as they will
> trigger quite often at mixed traffic environments in some cases.
Would you suggest not dropping the SURICATA STREAM rules or the whole protocol-command-decode class type?
Any general guideline as to which categories/rulesets to drop for sure and which should be taken into account more cautiously for the drop action to take place?
> Can you check what path is set in the suricata config?
> I would guess that it's using another ruleset where you have action drop
> instead of alert.
OK, I think I pinpointed the problem.
# grep -r 2210042 /var/lib/suricata/*
/var/lib/suricata/rules/suricata.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)
# grep -r 2210042 /usr/share/suricata/rules/*
/usr/share/suricata/rules/stream-events.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)
They're both with the "alert" event type, though.
suricata-update reports:
<Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
<Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
...etc...
So Suricata loads BOTH /usr/share/suricata/rules files AND /var/lib/suricata/rules/suricata.rules.
Why?
Is loading of the /usr/share/suricata/rules files hardcoded?
# grep -r /usr/share/suricata /etc/suricata/*
#
The files in /usr/share/suricata/rules are installed when installing Suricata, or are they pulled in by suricata-update?
Should I simply delete them?
Vieri
More information about the Oisf-users
mailing list