How to change alert type edit rule sets in suricata
-
Hello I have a new NG device and ive downloaded the rule sets I want but I'm trying to customize these rules now and I can not for the life of my figure how how I customize each rule, where it will not get over written on the next update. particularly setting alert actions and allowing select ips to bypass one rule but not all rules.
Any assistance is welcome.
Thank you
-
-
You need to learn to use the features on the SID MGMT tab. Go to that tab, enable the feature by checking the box, then read through all the provided sample conf files for hints on how to use the feature.
Be advised, though, that wholesale changes of the rules is not supported. The feature is mainly for selecting which rules to enable or disable using regex matching, and for altering certain rules actions from say "alert" to "drop".
If you want to create your own rules, then use the Custom Rules option on the RULES tab for an interface. On that tab, choose "Custom Rules" in the Category dropdown, and then type (or paste) your own custom rule (or rules) into the text box. Once done, save the change. Those rules will survive any rules update.