IPS Categories to enable

suricata
ips
v7

(Federico Ballarini) #1

NethServer Version: 7
Module: IPS

What category I have to enable on IPS Suricata?

I don’t know how they are appeared…
Thanks.


(Markus Neuberger) #2

Maybe you installed/updated it from nethserver-testing repo?

I’d say, it really depends on your environment. I put all categories to alert to check if there are warnings for a week and will block them if needed.
You may also set all to block and test if your apps are working…


(Federico Ballarini) #3

Oh yes, I have installed nethserver-testing repo…
But where I can see the alerts?


(Markus Neuberger) #4

You may install evebox from testing.


(Federico Ballarini) #5

Anyone can help me to analyze EveBox alerts?


(Markus Neuberger) #6

For sure. Please open a new topic, post your specific evebox alert and community will try to help you.


(Joel Clendineng) #7

https://rules.emergingthreats.net/open/suricata/rules/

Here are all the rules it uses. Emerging-Rules are the rules suricata pulls from, if you have a rules question open the rule and read it for a better idea of what its doing/blocking. Rules are also located in the suricata folder on the server. Id say everything can be left as “Blocked” except “Policy” as that can be set on “Alert”. Policy is mainly inter-network possibly policy violations, like plaintext passwords sent over a network and the like.


(Federico Ballarini) #8

I have created the topic.
Thanks.