Test and working great! Enabled the testing repo but the software center would not allow me to install because of a conflict with ntop but I ssh in and manually installed the packages and its working great. I need to do some reading up on what the different categories mean, but its fantastic. Im sure I can add rules from other sources such as snort/other suricata rules? This is great.
Edit: So I can add .rules files with “ET-****.rule” in the suricata rules folder and it looks like it accepts it, naming is off but its fantastic.
Packages from testing should always be installed from command line.
EveBox and Suricata don’t conflicts with ntopng, but the new ntopng-pcap package does.
As you fount, actually, the web interface displays all files named “ET-*” from /etc/suricata/rules.
We could add also other file names, what rules do you use? Can you find a pattern name also for them?
Rules are downloaded and setup alerts. It’s been 2 days and still no alerts. I even created a local.rules to do some testing and still nothing. My local rule is simply
drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook.com"; http_header; nocase; classtype:policy-violation; sid:10000001;)
I still get Facebook. What am I missing? I see Drops and Rejects in firewall.log, but noting in Suricata drop.log