1
Intrusion Detection and Prevention / Got it working- here is how.
« on: March 30, 2020, 09:27:36 pm »
The interface and GUI I have realized is horrible. This is why I, after reading tons of articles on suricata, the manual, all this stuff- none of it worked.
what I did is enable the rules in
<-- assumes- you DL'ed the rules you wanted and paid for or applied to any ones that required licensing. -->
Services: Intrusion Detection: Administration> rules
What I had to do is enable all the rules kind of manually.
change the view number of rules drop down to 1000, then check the "sid" check box, selecting all the 1000 rules- then scroll to the bottom click enable selected, and drop, then wait forever after its done, click apply.
for me this fixed it, the 22k rules I have and now in the logs I have all sorts of info.
bonus, go to
Services: Intrusion Detection: Administration> rules
and do a search filter for:
DELETED
these are old rules, and not used rules- but if they are enabled, I don't know if it has any effect on system resources or not- maybe someone can chime in....
anyway, I just pick 1000 again and check sid, then scroll to the bottom and click disable after that's done hit apply, then go thru the next page, if any to see if it applied the disabled to those as well.
what I did is enable the rules in
<-- assumes- you DL'ed the rules you wanted and paid for or applied to any ones that required licensing. -->
Services: Intrusion Detection: Administration> rules
What I had to do is enable all the rules kind of manually.
change the view number of rules drop down to 1000, then check the "sid" check box, selecting all the 1000 rules- then scroll to the bottom click enable selected, and drop, then wait forever after its done, click apply.
for me this fixed it, the 22k rules I have and now in the logs I have all sorts of info.
bonus, go to
Services: Intrusion Detection: Administration> rules
and do a search filter for:
DELETED
these are old rules, and not used rules- but if they are enabled, I don't know if it has any effect on system resources or not- maybe someone can chime in....
anyway, I just pick 1000 again and check sid, then scroll to the bottom and click disable after that's done hit apply, then go thru the next page, if any to see if it applied the disabled to those as well.