Project

General

Profile

Actions

Support #3520

closed

Applying filters

Added by Rahul Surya almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:

Description

I have downloaded the emerging threat rules using suricata-update,Can we apply the filters enable.conf,disable.conf,modify.conf and drop.conf in the current existing rules folder without fetching the rules from url or from cache location everytime ?

Actions #1

Updated by Kenneth Kolano almost 5 years ago

Likely related to the desire here to enable quick testing of config modifications...

I've found that modifications made via modify.conf may not be applied. I'm not clear, but I'm guessing that it's likely due to such modifications not revising the rule's revision #. We may need to detect when updates occur to those files and ignore rev # checks on effected rules, or at least document that modify rules may need to also update revision to be applied.

Actions #2

Updated by Rahul Surya almost 5 years ago

So you are telling, if we modify any rule from alert to drop manually and if we do suricata- update, it will consider the rule as modified one and revert it back.(in order to do nothing with changes ,we have to update that rule sid in modify conf).

But here the tool must act like management tool right irrespective of downloading and managing....

Actions #3

Updated by Jason Ish almost 5 years ago

Rahul Surya wrote:

I have downloaded the emerging threat rules using suricata-update,Can we apply the filters enable.conf,disable.conf,modify.conf and drop.conf in the current existing rules folder without fetching the rules from url or from cache location everytime ?

No, it always rebuilds from from online or the cache. It will only go online if the cache is older than 15 minutes. You can force it to not go online with the --offline option.

The process is:
- Load files from cache
- Make modifications
- Write output

So you are telling, if we modify any rule from alert to drop manually and if we do suricata- update, it will consider the rule as modified one and revert it back.(in order to do nothing with changes ,we have to update that rule sid in modify conf).

That is correct. It doesn't look at any modifications you may have made to the output file. If you use suricata-update, you must use it to make your modifications. This is the same as the tools before this like Oinkmaster and PullPork.

Actions #4

Updated by Rahul Surya almost 5 years ago

ok thanks for the information.

Actions #5

Updated by Jason Ish almost 5 years ago

  • Priority changed from Urgent to Normal
Actions #6

Updated by Shivani Bhardwaj almost 5 years ago

Hi Rahul!

Does Jason's comment help you with your situation? Please let us know if we're good to close this issue now. Thank you.

Actions #7

Updated by Shivani Bhardwaj over 4 years ago

  • Status changed from New to Closed

Closing this issue assuming it has been resolved because of inactivity. Please feel free to open a new issue in case you face this again. Thank you.

Actions

Also available in: Atom PDF