Suricata showing ET Policy alerts



  • I'm running Suricata on LAN in detection mode (no blocking). I disabled the pre-defined Snort IPS policies and selected a small subset of rules to get started. I did NOT enable emerging-policy.rules. However, I am getting:

    Potential Corporate Privacy Violation
    1:2000419 ET POLICY PE EXE or DLL Windows file download
    

    I went to SuricataInterface LANRules: decoder-events.rules and scrolled through the "Categories". I can't find any ET POLICY rules.

    Why is Suricata issuing a policy rule alert when emerging-policy.rules is not included as a selected ruleset (or found in the Categories list)?

    Services / Suricata / Global Settings
    ETOpen Emerging Threats Rules
    Install Snort VRT Rules
    Install Snort Community rules

    Suricata IDS / Interface LAN - Categories
    Resolve Flowbits enabled
    Not using pre-defined Snort IPS policies
    Selected rulesets:
    Snort GPLv2 Community Rules
    A few of the Snort Text Rules (i.e. malware)
    A few of the ET Rules (i.e. malware, botcc)



  • Solved.

    The ET POLICY rules are in the Resolve Flowbits automatic rules.

    However, you can't view the rules in the Suricata Interface LANRules: decoder-events.rules page. You have to view them on the Suricata IDS / Interface LAN - Categories page.


Log in to reply