1
Intrusion Detection and Prevention / Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
« on: Today at 02:36:34 am »
I tried to follow the guide, but when making the policies, none of the options show up, like "signature severity" or "class type" until I download and enable rules. Are you downloading and enabling all rules before doing these policy setups?
I ask because I went ahead and set up suricata with the rules that I desire, without doing your policies. I notice that all rules are set to Alert. So if I look at my alerts it's giving me the alerts and stating "Action = Allowed". I am confused by this because I thought enabling IPS mode would add blocks as well.
Edit: reading other posts in the forum, I realize I need to set the rules to drop https://forum.opnsense.org/index.php?topic=6930.0
Once you have all your rules enabled, you need to edit each ruleset and select 'Change all alerts to drop action'
This doesn't appear to be an option on my rule sets, only the individual rules themselves... Do I seriously need to edit all 150K+ rules to drop?... Do your policies take care of this?
I ask because I went ahead and set up suricata with the rules that I desire, without doing your policies. I notice that all rules are set to Alert. So if I look at my alerts it's giving me the alerts and stating "Action = Allowed". I am confused by this because I thought enabling IPS mode would add blocks as well.
Edit: reading other posts in the forum, I realize I need to set the rules to drop https://forum.opnsense.org/index.php?topic=6930.0
Once you have all your rules enabled, you need to edit each ruleset and select 'Change all alerts to drop action'
This doesn't appear to be an option on my rule sets, only the individual rules themselves... Do I seriously need to edit all 150K+ rules to drop?... Do your policies take care of this?