Suricata inline mode: easier way to add single rules to drop-list?
-
Are there any plans to make it easier adding single rules to the dropsid.conf-file in suricata on inline mode?
Best to me would be if you would be able to chose a single alert in the "Alert"-view of the suricata-GUI and tap on an (to be added) icon named e.g. "add this alert to drop list".
Actually it is a bit too much work if you see an alert not being dropped and deside to let it be dropped in the future.
In suricata you have to go interfaces > settings > LAN rules > look for the adapting Category > look for the alert > write down the GID and SID > go back to SID Mgmt > edit the dropsid.conf and - finally ;) - add the GID:SID to that file.
Would be great if you could shorten the process.
-
Are there any plans to make it easier adding single rules to the dropsid.conf-file in suricata on inline mode?
Best to me would be if you would be able to chose a single alert in the "Alert"-view of the suricata-GUI and tap on an (to be added) icon named e.g. "add this alert to drop list".
Actually it is a bit too much work if you see an alert not being dropped and deside to let it be dropped in the future.
In suricata you have to go interfaces > settings > LAN rules > look for the adapting Category > look for the alert > write down the GID and SID > go back to SID Mgmt > edit the dropsid.conf and - finally ;) - add the GID:SID to that file.
Would be great if you could shorten the process.
A good idea for sure! I will work on making it easier/faster to change rules to DROP while using inline IPS mode.
Bill
-
Thanks, Bill !
-
Are there any plans to make it easier adding single rules to the dropsid.conf-file in suricata on inline mode?
Best to me would be if you would be able to chose a single alert in the "Alert"-view of the suricata-GUI and tap on an (to be added) icon named e.g. "add this alert to drop list".
Actually it is a bit too much work if you see an alert not being dropped and deside to let it be dropped in the future.
In suricata you have to go interfaces > settings > LAN rules > look for the adapting Category > look for the alert > write down the GID and SID > go back to SID Mgmt > edit the dropsid.conf and - finally ;) - add the GID:SID to that file.
Would be great if you could shorten the process.
It would be great to have the ability to modify drop rules directly from the GUI without modifying files.
-
It would be great to have the ability to modify drop rules directly from the GUI without modifying files.
As part of the enhancement idea mentioned up above, I am thinking about an icon on the ALERTS tab and perhaps the RULES tab associated with a GID:SID that would let you swap that rule to DROP. Other rule text modifications are more problematic due to storage space in the config.xml file where Snort shares configuration info with the rest of the firewall. If we try to store the text of all the rules in there (where user customization would have to go), the file gets really large. Storing just the GID:SID number pair is much simpler and compact, and the GUI could find the rule and just change ALERT to DROP where the GID:SID matched.
Bill
-
Hi Bill,
did you already find the time to work on it?
-
Hi Bill,
did you already find the time to work on it?
No, not yet. Been busy on some other non-pfSense related stuff. These other activities have been interfering with my volunteer time for the Suricata and Snort packages.
Bill
-
No, not yet. Been busy on some other non-pfSense related stuff. These other activities have been interfering with my volunteer time for the Suricata and Snort packages.
Bill
Understandable, this feature will definitely make Suricata much more newbie friendly. I have been using PfSense for three years and going in and modifying the files was daunting. I can only imagine a new user attempting something similar.
Great work so far! Can't wait do see what you come up with.
-
Hi Bill,
did you already find the time to work on it?
Hi Bill,
I kindly renew my question.
