Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alerts for new rule categories

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 753 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      e-1-1
      last edited by

      Hi team,

      Is it a reasonable request to have Suricata or Snort alert (email/syslog/telegraf etc.) admins when new rule categories are made available?

      I had a look a couple of days ago at some interfaces where Suricata scans the traffic and the rule category section had a bunch of new items that were unselected.
      Have no problem manually enabling them, as auto enable could bring mayhem over the traffic, but it would be more pleasant to be notified of this. Otherwise, bad traffic covered by newer and disabled by default rules will get past the IPS if news of newer categories slips past an admin.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        An IDS/IPS admin needs to keep very close tabs on the system. It is not a "set-and-forget" kind of thing. The GUI package does not know when new categories are added. It simply downloads the gzip archive from the rules vendors (Emerging Threats or Snort Subscriber) and unzips the content into a sub-directory.

        In order for the GUI to realize something had changed, it would need to track all the files in some manner externally and then do a compare with each rules update to see what changed; and then put that in some kind of message. That's a lot of coding overhead for very little gain. Right now it simply unzips the archive into a directory and then interates through that directory to get the filenames and show them on the CATEGORIES tab.

        E 1 Reply Last reply Reply Quote 0
        • E
          e-1-1 @bmeeks
          last edited by

          @bmeeks Just chiming in to note this has been implemented via feature request #10809, working just fine.

          Received one alert via Telegram on Dec 11 last year, all good.

          Suricata new rule categories are available:
          - Emerging Threats Open rules: threatview_CS_c2.rules
          
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.