Suricata Feodo Botnet and ABUSE.ch SSL Blacklist
-
These options have probably been in here forever but I've only now noticed them. Is anyone using them? Caused any issues? How useful are they? I wonder why they aren't in their own categories on the interface categories page like all the other rulesets so I guess they get processed differently.
-
@stewart said in Suricata Feodo Botnet and ABUSE.ch SSL Blacklist:
These options have probably been in here forever but I've only now noticed them. Is anyone using them? Caused any issues? How useful are they? I wonder why they aren't in their own categories on the interface categories page like all the other rulesets so I guess they get processed differently.
These were added by request (if I recall correctly) about 2 years ago (specifically, April of 2021). They are really just IP lists maintained by a third-party and made available for public, free downloading.
They are listed on the CATEGORIES tab (when they are enabled on the GLOBAL SETTINGS tab), but because each is only a single file they are treated like the Snort GPLv2 Community Rules and shown in a line by themselves.
The GUI code for both Snort and Suricata has some "smarts" built in so that certain settings for things that are not enabled are hidden. So if the download of these rules is not enabled on the GLOBAL SETTINGS tab, then they are hidden on the CATEGORIES tab. Same for the Snort VRT rules and others.
-
@bmeeks So enabling them just adds the options in the categories view? That's good to know.
-
@stewart said in Suricata Feodo Botnet and ABUSE.ch SSL Blacklist:
@bmeeks So enabling them just adds the options in the categories view? That's good to know.
It also sets them to be automatically downloaded/updated during the periodic rules update cron task. But it does NOT mean they are automatically used to inspect traffic. That only happens when you enable them on the CATEGORIES tab by checking the box, or they are pulled in by conf settings on the SID MGMT tab.