Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Two questions regarding suricata
« previous
next »
Print
Pages: [
1
]
Author
Topic: Two questions regarding suricata (Read 1267 times)
Dunuin
Newbie
Posts: 31
Karma: 1
Two questions regarding suricata
«
on:
August 03, 2022, 09:06:16 pm »
Hi,
Got suricata in IPS mode running herein the home lab. I think it is working bu two things are still not clear to me.
1.) Is there some default behavior for rules that will be used when nothing special is defnied? Because there are some rulesets that got rules for malicious events that I would like to block but also some rules just for monitoring.
Right now I got one policy with high priority that sets the action to "block" in case the action is "disabled" for specific rulesets like "drop.rules", "compromised.rules" and so on. And then I got a lower priority policy that sets all rules of all rulesets to "alert" no matter what action is set. As far as I understand this will block all rulesets that I specified in the first policy and then alert for all other rulesets which I didn't set to "block".
Do I really need to do it this way (or is there a better way) because all rules will be disbled by default or is there some reasonable default action for each rule so I could just do what the ruleset provider recommends as an action?
2.) I installed the ET Open and ET Pro Telemetry plugins. For "os-intrusion-detection-content-et-open" the comment is "IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition". With that I get for example the rulesets "ET open/botcc.portgrouped" and "ET telemetry/botcc.portgrouped". Do I need both rulesets or is the more up-to-date ET Pro Telemetry enough becasue it also includes the rules of the ET Open? Not that I run the same rules twice.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Two questions regarding suricata