Wrong IPS categories at the documentation?

suricata

(Michael Träumner) #1

Can’t find the following IPS categories at my system:

  • Activex
  • Attackresponse
  • Chat
  • Current Events
  • Decoder-events
  • Drop
  • Dshield
  • HTTP-Events
  • SMTP-events
  • Stream-events
  • TLS-Events

I want to ask if others miss these categories too, so we have to adapt the documentation.
If not, I want to ask why these categories are missing for me.


(Markus Neuberger) #2

They are not sorted alphabetically, so not easy to check, but I miss some categories too:

  • Decoder-events
  • HTTP
  • Stream
  • TLS


(Filippo Carletti) #3

Those 4 are not “real” categories. Experts only.
Alerts contained in those categories are about inconsistencies in protocols and streams.
In highly sensitive environments, you could enable them to spot novel kind of attacks, or tricks, or anything unusual.
Keep in mind that are “noisy” rules.

Some systems have those 4 extra categories because for a brief period of time they were distributed with rules update (those are usually shipped by default with suricata).
It’s perfectly normal not to have them (and avoids the risk of enabling them).