Reply to Suricata in legacy mode block entire tor category with SID management on Mon, 06 Jun 2022 08:01:19 GMT

LucaA — Mon, 06 Jun 2022 08:01:19 GMT

@bmeeks
Hi bmeeks,
Thanks for your answer.
Greats, I have changed the category name into my Sid file and it perfectly works.
Appreciate.

Reply to Suricata in legacy mode block entire tor category with SID management on Sun, 05 Jun 2022 18:06:08 GMT

bmeeks — Sun, 05 Jun 2022 18:06:08 GMT

@lucaa said in Suricata in legacy mode block entire tor category with SID management:

Hi all,
i am new with pfsense and Suricata as well.
I have installed suricata packages and set it in IPS mode (block).
I am setting in drop some rules one by one but I need to automatic do this job with the SID management feature.
I tried to add a new dropsid_custom.conf file as belos

START

et-tor

END

I have applied the file to the Drop SID list on the interfaces and check "rebuild" before save.
No categories or rules are using my file.
can you help me please?

thanks in advance

L.

Your rule category name is incorrect. You must use the name as shown on the CATEGORIES tab. So without looking to refresh my memory, I think instead of "et-tor" you should have "emerging-tor". Go look at the actual rule category filenames on the CATEGORIES tab in Suricata. That's the name you should use when wanting the SID MGMT feature to "match" a category name.