Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata inline mode: easier way to add single rules to drop-list?

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 3 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peter808
      last edited by

      Are there any plans to make it easier adding single rules to the dropsid.conf-file in suricata on inline mode?

      Best to me would be if you would be able to chose a single alert in the "Alert"-view of the suricata-GUI and tap on an (to be added) icon named e.g. "add this alert to drop list".

      Actually it is a bit too much work if you see an alert not being dropped and deside to let it be dropped in the  future.

      In suricata you have to go interfaces > settings > LAN rules > look for the adapting Category > look for the alert > write down the GID and SID > go back to SID Mgmt > edit the dropsid.conf and - finally  ;) -  add the GID:SID to that file.

      Would be great if you could shorten the process.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @peter808:

        Are there any plans to make it easier adding single rules to the dropsid.conf-file in suricata on inline mode?

        Best to me would be if you would be able to chose a single alert in the "Alert"-view of the suricata-GUI and tap on an (to be added) icon named e.g. "add this alert to drop list".

        Actually it is a bit too much work if you see an alert not being dropped and deside to let it be dropped in the  future.

        In suricata you have to go interfaces > settings > LAN rules > look for the adapting Category > look for the alert > write down the GID and SID > go back to SID Mgmt > edit the dropsid.conf and - finally  ;) -  add the GID:SID to that file.

        Would be great if you could shorten the process.

        A good idea for sure!  I will work on making it easier/faster to change rules to DROP while using inline IPS mode.

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          peter808
          last edited by

          Thanks, Bill !

          1 Reply Last reply Reply Quote 0
          • C
            cplmayo
            last edited by

            @peter808:

            Are there any plans to make it easier adding single rules to the dropsid.conf-file in suricata on inline mode?

            Best to me would be if you would be able to chose a single alert in the "Alert"-view of the suricata-GUI and tap on an (to be added) icon named e.g. "add this alert to drop list".

            Actually it is a bit too much work if you see an alert not being dropped and deside to let it be dropped in the  future.

            In suricata you have to go interfaces > settings > LAN rules > look for the adapting Category > look for the alert > write down the GID and SID > go back to SID Mgmt > edit the dropsid.conf and - finally  ;) -  add the GID:SID to that file.

            Would be great if you could shorten the process.

            It would be great to have the ability to modify drop rules directly from the GUI without modifying files.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @cplmayo:

              It would be great to have the ability to modify drop rules directly from the GUI without modifying files.

              As part of the enhancement idea mentioned up above, I am thinking about an icon on the ALERTS tab and perhaps the RULES tab associated with a GID:SID that would let you swap that rule to DROP.  Other rule text modifications are more problematic due to storage space in the config.xml file where Snort shares configuration info with the rest of the firewall.  If we try to store the text of all the rules in there (where user customization would have to go), the file gets really large.  Storing just the GID:SID number pair is much simpler and compact, and the GUI could find the rule and just change ALERT to DROP where the GID:SID matched.

              Bill

              1 Reply Last reply Reply Quote 0
              • P
                peter808
                last edited by

                Hi Bill,

                did you already find the time to work on it?

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @peter808:

                  Hi Bill,

                  did you already find the time to work on it?

                  No, not yet.  Been busy on some other non-pfSense related stuff.  These other activities have been interfering with my volunteer time for the Suricata and Snort packages.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • C
                    cplmayo
                    last edited by

                    @bmeeks:

                    No, not yet.  Been busy on some other non-pfSense related stuff.  These other activities have been interfering with my volunteer time for the Suricata and Snort packages.

                    Bill

                    Understandable, this feature will definitely make Suricata much more newbie friendly. I have been using PfSense for three years and going in and modifying the files was daunting. I can only imagine a new user attempting something similar.

                    Great work so far! Can't wait do see what you come up with.

                    1 Reply Last reply Reply Quote 0
                    • P
                      peter808
                      last edited by

                      @peter808:

                      Hi Bill,

                      did you already find the time to work on it?

                      Hi Bill,

                      I kindly renew my question.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.