Replies: 1 comment 1 reply
-
|
You can't use that syntax, the syntax for a threshold/suppression is |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your support I had already saw that documentation. I'm still beginning to understand the integration of OS with its components. I was just hoping that SO could had this functionality, converting a list of rules in a list of lines. It could be a nice improvement for SO ;) Regards, |
Beta Was this translation helpful? Give feedback.
-
Hi
I'd like to change 100 rules to apply the same threshold.
The situation is that I have a server in the local network that is accessed from internet by port forwarding from the router (yes, I know... it was not my decision) and I'd like to tune the rules 2403300 to 2403399 (ET CINS Active Threat Intelligence Poor Reputation IP group 1-99) in order to suppress when the destination.ip is this exposed server.
I guess there is no way to bulk apply threshold and I have thought to change manually the file
/opt/so/saltstack/local/salt/suricata/thresholding/sids.yamlusing an ID list or range, but I haven't found documentation about this and I guess it's not possible. I have tried a few things like this:2400000-2400099:
- suppress:
gen_id: 1
track: by_dst
ip: $EXPOSED_IPS
and this
"2400000-2400099":
- suppress:
gen_id: 1
track: by_dst
ip: $EXPOSED_IPS
I'll thank any idea.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions