Suricata difficult matching of rules in evebox to categories

When looking at alerts in evebox, the rules have a Signature, Category and Signature ID. However neither the category names in the web admin interface of nethserver nor the names in /etc/pulledpork/dropsid.conf are matching these names exactly. There are only similar names, and it it a very difficult to match these, if you want to disable categories or rules.

Is there any means to match these items? How can I identify, which names to use in the web admin interface and in *sid.conf files?

1 Like

@support_team Can anybody help here?

@jfernandez @Jclendineng @filippo_carletti @mark_nl can help here @mrmarkuz

In general it’s the word after ET shown in the signature.

ET SCAN refers to Scan in the web UI, ET POLICY refers to Policy and so on.

Only exception I found is ET CINS for CIArmy.

You can see the rule category names in /etc/suricata/rules/*.rules or here.

Please note that it’s not necessary to edit /etc/pulledpork/dropsid.conf manually as using the web UI will overwrite your changes. If you really need some special config you need to use a custom template for templated files.

1 Like