Suricata in legacy mode block entire tor category with SID management
-
Hi all,
i am new with pfsense and Suricata as well.
I have installed suricata packages and set it in IPS mode (block).
I am setting in drop some rules one by one but I need to automatic do this job with the SID management feature.
I tried to add a new dropsid_custom.conf file as belosSTART
et-tor
END
I have applied the file to the Drop SID list on the interfaces and check "rebuild" before save.
No categories or rules are using my file.
can you help me please?thanks in advance
L.
-
@lucaa said in Suricata in legacy mode block entire tor category with SID management:
Hi all,
i am new with pfsense and Suricata as well.
I have installed suricata packages and set it in IPS mode (block).
I am setting in drop some rules one by one but I need to automatic do this job with the SID management feature.
I tried to add a new dropsid_custom.conf file as belosSTART
et-tor
END
I have applied the file to the Drop SID list on the interfaces and check "rebuild" before save.
No categories or rules are using my file.
can you help me please?thanks in advance
L.
Your rule category name is incorrect. You must use the name as shown on the CATEGORIES tab. So without looking to refresh my memory, I think instead of "et-tor" you should have "emerging-tor". Go look at the actual rule category filenames on the CATEGORIES tab in Suricata. That's the name you should use when wanting the SID MGMT feature to "match" a category name.
-
@bmeeks
Hi bmeeks,
Thanks for your answer.
Greats, I have changed the category name into my Sid file and it perfectly works.
Appreciate.BR
L.