[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Rule being alerted even though is is disabled.
From: Andreas Herz <aherz () oisf ! net>
Date: 2020-01-20 20:05:25
Message-ID: 20200120200523.xnflqssi26oqkacq () ns333105 ! ip-37-187-125 ! eu
[Download RAW message or body]
Hi Todd,
On 27/12/19 at 09:05, Todd Adam wrote:
> and here is what is in /var/lib/suricata/rules/suricata.rules
> # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux
> APT User-Agent Outbound likely related to package management";
> flow:established,to_server; content:"APT-HTTP|2F|"; http_user_agent;
> reference:url,help.ubuntu.com/community/AptGet/Howto;
> classtype:not-suspicious; sid:2013504; rev:5; metadata:created_at
> 2011_08_31, updated_at 2011_08_31;)
Is this the only line with that rule or is there maybe a duplicate where
it's enabled again?
Also how does your rule-file configration look like in the suricata
config?
--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic