HI all,
I’m looking for a way to disable one suricata rule by its SID without disabling whole category. Is it enough to put the SID taken from evebox in the file /etc/pulledpork/disablesid.conf followed by a signal-event nethserver-suricata-update and systemctl restart suricata ?
What can I do if I would only whitelist an IP address to have it not filtered for any rule?
BR Stefano
Yes, that should do it.
I didn’t test it but you may create your own rule file in /etc/suricata/rules/passip.rules with following content:
pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;)
To add it to /etc/suricata/suricata.yaml we need a dirty copied custom template:
cp /etc/e-smith/templates/etc/suricata/suricata.yaml/10base /etc/e-smith/templates-custom/etc/suricata/suricata.yaml/
Edit /etc/e-smith/templates-custom/etc/suricata/suricata.yaml/10base and add - passip at line 64:
...
rule-files:
- passip
{
$blockCategories = $suricata{'BlockCategories'} || '';
...
A signal-event nethserver-suricata-update is needed to apply the changes.
The disadvantage of this solution is that if the suricata template file is updated by i.e. a system update, you have to manually copy the template to the custom one /etc/e-smith/templates-custom/etc/suricata/suricata.yaml/10base. You can find more information about templates in the docs.
Source:
1 Like
Thanks Markus, disabling the SID by putting it in disablesid.conf works like a charm, I will try the other suggestion in a few days and let you know if it works too.
BR
2 Likes