Editing Signatures in Intrusion Prevention

You may go into IPS and notice that there is a large list of rules but all the edit options are grayed out. This is due to the fact that the rules come from a third party source (Emerging Threats) and by default you can't change them. You CAN, however, do essentially the same thing by copying the rule:

 1. First copy the rule you want to use as a base for your rule:

 

2. Edit the signature as needed. If you need guidance on editing signatures, please view the documentation on Suricata: https://suricata.readthedocs.io/en/suricata-4.1.3/rules/index.html

 

3. Create rules in the Rules tab that will match on the rule you created. Since most signatures use "Group Identifier: 1", you can use - "Group Identifier: 2" to identify any rules you have created and enable the recommended action for those signatures with a rule like:

4. Now save in the bottom right corner and you've done it! 

Follow
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk