Suricata showing ET Policy alerts
-
I'm running Suricata on LAN in detection mode (no blocking). I disabled the pre-defined Snort IPS policies and selected a small subset of rules to get started. I did NOT enable emerging-policy.rules. However, I am getting:
Potential Corporate Privacy Violation 1:2000419 ET POLICY PE EXE or DLL Windows file download
I went to SuricataInterface LANRules: decoder-events.rules and scrolled through the "Categories". I can't find any ET POLICY rules.
Why is Suricata issuing a policy rule alert when emerging-policy.rules is not included as a selected ruleset (or found in the Categories list)?
Services / Suricata / Global Settings
ETOpen Emerging Threats Rules
Install Snort VRT Rules
Install Snort Community rulesSuricata IDS / Interface LAN - Categories
Resolve Flowbits enabled
Not using pre-defined Snort IPS policies
Selected rulesets:
Snort GPLv2 Community Rules
A few of the Snort Text Rules (i.e. malware)
A few of the ET Rules (i.e. malware, botcc) -
Solved.
The ET POLICY rules are in the Resolve Flowbits automatic rules.
However, you can't view the rules in the Suricata Interface LANRules: decoder-events.rules page. You have to view them on the Suricata IDS / Interface LAN - Categories page.