Anyone is familiar with the ET Community rules?
“Action: alert” means that they block traffic or just log and alert?
Whenever I see a strange one in the IPS log, I click on the reference SID, and try to see what is it about, and I always see the action says ALERT. So this ALERT information is on the ruleset provider’s website Proof pooint, not on the IPFire WUI,
Does it mean that this particular event was blocked or not blocked and only an alert was issued?
Here are some screenshots of the rules:
Here is a typical ET DROP Dshield:
I also use ET rules, but on my machines above listed rules appears are DROP action.
A possible explanation can be the file /var/ipfire/suricata/oinkmaster-modify-sids.conf that contains some rules modification from alert to drop.
Example for the rules you listed above
/var/lib/suricata/emerging-dshield.rules:drop ip [89.248.165.0/24,193.201.9.0/24,45.155.205.0/24,185.156.73.0/24,91.240.118.0/24,80.82.64.0/24,45.143.203.0/24,91.191.209.0/24,193.163.125.0/24,185.196.220.0/24,141.98.10.0/24,92.63.197.0/24,146.88.240.0/24,45.154.96.0/24,78.128.113.0/24,89.248.163.0/24,138.99.216.0/24,45.135.232.0/24,94.102.61.0/24,192.241.213.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:6300; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2022_06_08;)
