suricate alert-to-drop via config file edit?
-
Referring to the following recent post:
Redesign Click FrenzyI too am confronted with the click sprawl required to do this with a couple categories.
I assume there is a config file in the filesystem that can be edited to change alerts to drops.
Does anyone know if this is possible and, if so, what is the config file path/name?
-
There is no existing single config file for that. The suggested method is to use the facilities available on the SID MGMT tab. There, you can do a lot of things with rules such as enable them, disable them, change their action and even change some of their content using regex strings. Examples abound in the sample conf files available on that tab when you enable SID MGMT by checking the enable box. There is also a Sticky Post at the top of this forum describing the SID MGMT features inherent in both Snort and Suricata. Here is the link: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.
The clickable options on the RULES tab are intended for changing just two or three rules in a category. They are not meant to be used to change dozens or multiple dozens of rules. That job is better performed using the SID MGMT tab features. The way the GUI code has to store rule changes when you manually click things on the RULES tab is highly inefficient, and if you are changing tons of rules that way you will bloat your
config.xml
file. The SID MGMT tab is much more efficient with the way it can work to make and store rule changes. -
@bmeeks Impressive, Thanks.