Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to manage rules, policies and general guidance to live with Suricata?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to manage rules, policies and general guidance to live with Suricata? (Read 1407 times)
Relaxe
Newbie
Posts: 5
Karma: 0
How to manage rules, policies and general guidance to live with Suricata?
«
on:
September 08, 2022, 08:42:56 pm »
Hello folks,
Total n00b here, learning fast. I just want to share what I wished I knew from the start.
I have installed and configured Suricata in IPS mode on my OPNSense box.
I see Alerts, can drop by rule and all. It works.
But now, I want to "block the bad things".
I thought installing ET Pro and setting IPS ON would do the trick.
I saw many alerting Alerts, but no drops.
I then played with Policies, and figured that a small number of rules (about 10%) are already at "drop", only the real bad ones.
What one can do is enable SETS of Rules.
Keep in mind, there are ~86000 rules as of late 2022 if you download all the packages.
Changing Alert to Drop manually on all of them is not an option.
What you can do is create a new Policy that states for each pertinent rulesets that the default "alert" rules are now "drop".
For instance, I want to block all things tor. I created a policy with ruleset = tor.rules, action=Alert, and new Action = drop.
Now, all the Alerts go straight to drop for that category.
I am now playing with ALL alerts -> Drop, and whitelisting genuine use cases. There are a lot of false positives, but it's manageable so far.
When I see a drop that should have been totally fine (I saw a drop for discord.com), I click the pencil next ot hte alert and disable that rule. I wish there was a comment field to indicate the reason, but that is another thing.
Good luck!
«
Last Edit: September 09, 2022, 02:17:56 pm by Relaxe
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to manage rules, policies and general guidance to live with Suricata?