Choosing IPS/Suricata Rules (was: Suricata rules)

Hi, i have a very specific question regarding IPS suricata rulles. Since my last hardware change and since I have enough hardware requirements for running suricata with all rulles and available free providers ON, I got to a point where I have about 30 seconds of internet before DNS spoofs and ICMP network misc activity as well Microsoft overflow atrempt. My question is if is there any constraint in enabling all available rules in IPS? As I understand by my tests running DHCP on with my laptop routed to a fixed connection doesnt break connectivity. All happens when I connect the red to the router modem from provider. A network restart is needed to have more 30seconds of ping to If a reboot is done then i have 30 seconds of all sites available.
Suricata all rules on? Or the oldest ones like windows server 2003 and windows xp have to be filtreed and turn off?

If you turn all suricata rules on you have a high likelihood of stopping everything working.

For instance there are some rules that will block all apt-get update requests for debian/ubuntu. All such requests will be blocked. There are other rules that block other traffic. If you don’t use that traffic then no problem but if you want that type of traffic then you should not enable those rules.

You have to look at what the rules are intended to protect against and be sure that you don’t need that traffic before activating them.

See this wiki page from the IPS wiki section which describes how to determine the rules that you should apply.

It also suggest that when you first start that you set the IPS to monitor only for each ruleset provider so that legitimate traffic is not blocked. Once you have reveiwed the logs and made sure that the selected rulesets and rules are stopping things that should be stopped and not giving false positives then you can change that providers rules to block instead of monitor with confidence that you won’t have many false positives.

The IPS wiki is worth reading through together with the further reading sections at the end.


Thks, then I can safely say that for 30 seconds suricata is not working when turning system on :weary: