NethServer Version: 7.4.1708
Module: Suricata IPS
I found an interesting behaviour in suricata. If I block "Policy" rule category, yum is blocked. Yum-cron is affected too. In evebox I see:
ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
Yum update does not work:
[root@nethserver markus]# yum update
Geladene Plugins: changelog, fastestmirror, nethserver_events, priorities
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
12: Timeout on http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds')
Maybe it's because I just have one green network interface and suricata wants to block client network yum updates?
OK, so just set "Policy" to "Alert" but the problem is that the policy category also includes things like
ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
which I do want to block. All other rule categories I set to block work like a charm. Is there a way to block server attacks and to allow yum?