regit
commented
7 years ago Does you suricata.yaml only reference scirius.rules ? If not you may have some other rules loaded. Another possiblity is that a suricata rules update/restart is needed.
Open skamoen opened 7 years ago
regit
commented
7 years ago Does you suricata.yaml only reference scirius.rules ? If not you may have some other rules loaded. Another possiblity is that a suricata rules update/restart is needed.
skamoen
commented
7 years ago I didn't touch the part on rules since installation, but there's a whole list of rule files in suricata.yaml. Should only scirius.rules be in there?
pevma
commented
7 years ago Yes - you should only have scirius.rules activated in the suricata.yaml
On 28 Sep 2017, at 11:33, Sille Kamoen notifications@github.com wrote:
I didn't touch the part on rules since installation, but there's a whole list of rule files in suricata.yaml. Should only scirius.rules be in there?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
I'm running SELKS, and I'm getting alerts for SID 2523318 (ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 660). Alerts for this rule show up in the graphs, but they don't show up under "Rules Activity" and a manual lookup at
/rules/rule/pk/2523318/results in a 404. I'd like to supress this rule, but without access from Scirius that doesn't really seem possible.Scirius does have a lot of similar rules like "ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group xxx", but they go up to 624.
Any idea what could be going on here?