Editing Signatures in Intrusion Prevention
You may go into IPS and notice that there is a large list of rules but all the edit options are grayed out. This is due to the fact that the rules come from a third party source (Emerging Threats) and by default you can't change them. You CAN, however, do essentially the same thing by copying the rule:
1. First copy the rule you want to use as a base for your rule:
2. Edit the signature as needed. If you need guidance on editing signatures, please view the documentation on Suricata: https://suricata.readthedocs.io/en/suricata-4.1.3/rules/index.html
3. Create rules in the Rules tab that will match on the rule you created. Since most signatures use "Group Identifier: 1", you can use - "Group Identifier: 2" to identify any rules you have created and enable the recommended action for those signatures with a rule like:
4. Now save in the bottom right corner and you've done it!
Follow
Comments
0 comments
Please sign in to leave a comment.