Setting up TALOS policies for suricata fast.log still possible?

[McSh4dow]

Hey guys,
today I decided to install SO 2.3.2 with Zeek for metadata and Suricata with TALOS ruleset. I activated fast.log for Suricata and the logging itself works properly.

But right now it seems like I am logging every single match of the TALOS all.rules and it's flooding Suricata's fast.log.

In a documentation of 14.04 it was possible to choose a policy (e.g. connectivity, balanced, security) right after selecting the Snort/TALOS ruleset.

Is it still possible to choose a policy for TALOS ruleset somehow? If it is - where can I do that?

I'd like to log a bit less - just the higher severity levels.

I'm about to write a script to check a detection's sid and compare it with all.rules to log the detections that match with the policy "balanced-ips" for example, but a valid solution would be nice.

Thank you in advance!
McSh4dow

[dougburks]

TALOS rules are designed for Snort. Many of those rules will run on Suricata, but Shared Object rules will not and may result in the flooding that you're seeing. For more information, please see #1727.

[McSh4dow]

Thank you very much for the reply, Doug. I will try the solution written in #1727 to see if it fixes the flooding in the fast.log.