Alerts for new rule categories
Is it a reasonable request to have Suricata or Snort alert (email/syslog/telegraf etc.) admins when new rule categories are made available?
I had a look a couple of days ago at some interfaces where Suricata scans the traffic and the rule category section had a bunch of new items that were unselected.
Have no problem manually enabling them, as auto enable could bring mayhem over the traffic, but it would be more pleasant to be notified of this. Otherwise, bad traffic covered by newer and disabled by default rules will get past the IPS if news of newer categories slips past an admin.
bmeeks last edited by bmeeks
An IDS/IPS admin needs to keep very close tabs on the system. It is not a "set-and-forget" kind of thing. The GUI package does not know when new categories are added. It simply downloads the gzip archive from the rules vendors (Emerging Threats or Snort Subscriber) and unzips the content into a sub-directory.
In order for the GUI to realize something had changed, it would need to track all the files in some manner externally and then do a compare with each rules update to see what changed; and then put that in some kind of message. That's a lot of coding overhead for very little gain. Right now it simply unzips the archive into a directory and then interates through that directory to get the filenames and show them on the CATEGORIES tab.