Revert to default Suricata signatures? #10216
-
|
I was doing some testing and ingested quite a few Suricata signatures from a MISP instance and realized that most are very poorly written, and am now getting a ton of false-positives. Is there an easy way to revert back to the default to remove the signatures that I ingested? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
How were you ingesting those rules? Did you add the URL to your manager.sls file like below? idstools: |
Beta Was this translation helpful? Give feedback.
-
|
I exported the generated signatures from MISP into a file and added them to '/opt/so/saltstack/local/salt/idstools/local.rules' per the documentation (https://docs.securityonion.net/en/2.3/local-rules.html). I ended up manually running the salt-call/so-rule-update which then added the rules to '/opt/so/rules/nids/all.rules'. The entire process worked seamlessly, just some of the signatures aren't written/generated well and are giving me lots of false positives. Now I just want to revert back to the default ET then take a more selective approach at ingesting any rules from my MISP instance. |
Beta Was this translation helpful? Give feedback.
-
|
Ah, clearing out the '/opt/so/saltstack/local/salt/idstools/local.rules' and running a 'so-rule-update' got rid of them. |
Beta Was this translation helpful? Give feedback.
Ah, clearing out the '/opt/so/saltstack/local/salt/idstools/local.rules' and running a 'so-rule-update' got rid of them.