Drop rules in SELK.

[suri cata]

Hello everyone.

 Right now I have SELKS with alert only rules. I want to apply drop rules. Apart from modifying or creating rules to be drop, do I have to do something else?

 Greetings,

[Peter Manev]

Hi ,

You can consult the docs here -
https://scirius.readthedocs.io/en/latest/ruleset.html#action-transformation

Please also feel free to drop in our discord chat if you would like to
discuss more.

Thank you

> --
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/d4305377-5d2b-40c9-a863-f2bcdd7f8ca0n%40googlegroups.com.



--
Regards,
Peter Manev

[suri cata]

Hello peter

Thanks for answering.

What you tell me I already have prepared. I meant at the configuration level in the Suricata .yaml or at the network level:

/opt/selksd/SELKS/docker/containers-data/suricata/etc

selks6-addin.yaml

suricata.yaml

af-packet / dpdk

Best regards

[Peter Manev]

Hi,

What config changes are those , if you could share some detail so to
determine where is best to put those.

Thanks

> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/ac5c3605-295b-4915-aeaa-9a94f230c1can%40googlegroups.com.



--
Regards,
Peter Manev

[suri cata]

Hi, Peter.

Sorry for the delay in answering.

I think I didn't explain myself well. Now my SELKS works in IDS mode. What I want to know is that I have to modify in the .yaml file and in the system to make it work in IPS mode. I already have the rules prepared.

Thank you

[Peter Manev]

Hi,

Something like this should work https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS 

I mean setting it up is identical for suricata regardless of the system used.

Thanks !

-- 

Regards,

Peter Manev 

On 13 Jun 2023, at 08:11, suri cata <suri.w...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/selks/7c9abc41-6104-40b7-a343-374eb64f3f42n%40googlegroups.com.

[suri cata]

Thank you Peter.

I remember when we only have one network interface, in netmap we had a setting for netmap in the case of copy-mode tap.

Can you do the same with af_packet and copy-mode ips ?

Greetings,

[suri cata]

Hi,

I'm seeing that we can use netmap with just a copy-mode ips network interface.

I understand that it is not necessary to use iptables either.

[Peter Manev]

Hi ,

Yes , should work - 

See the af_packet IPS section 
https://docs.suricata.io/en/suricata-7.0.0-rc1/setting-up-ipsinline-for-linux.html

Thank you 

-- 

Regards,

Peter Manev 

On 13 Jun 2023, at 10:41, suri cata <suri.w...@gmail.com> wrote:



Thank you Peter.

I remember when we only have one network interface, in netmap we had a setting for netmap in the case of copy-mode tap.

To view this discussion on the web visit https://groups.google.com/d/msgid/selks/9e23c8d5-cfa3-407c-8831-baa2ada52995n%40googlegroups.com.

<copy-mode.png>

[suri cata]

Hi,

I try the IPS mode with netmap and tell the experience here.