ET rules are blocking or alerting

Anyone is familiar with the ET Community rules?
“Action: alert” means that they block traffic or just log and alert?

Whenever I see a strange one in the IPS log, I click on the reference SID, and try to see what is it about, and I always see the action says ALERT. So this ALERT information is on the ruleset provider’s website Proof pooint, not on the IPFire WUI,

Does it mean that this particular event was blocked or not blocked and only an alert was issued?

Here are some screenshots of the rules:
Here is a typical ET DROP Dshield:

and here is a in ET POLICY -potential corporate policy violation

These are my settings
I have IPS enabled on RED and GREEN
and Subscribed to ET Community rules
“Monitor traffic only” is disabled.

If IPS is enabled and monitor is not checked.
It was blocked.
If it did not cause someone a problem
I would not worry about it.



I also use ET rules, but on my machines above listed rules appears are DROP action.
A possible explanation can be the file /var/ipfire/suricata/oinkmaster-modify-sids.conf that contains some rules modification from alert to drop.

Example for the rules you listed above

/var/lib/suricata/emerging-dshield.rules:drop ip [,,,,,,,,,,,,,,,,,,,] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:6300; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2022_06_08;)

Hope it clarifies

1 Like

Thanks for the clarification H&M.
That was very useful
Now I see that a rule that says “Potential corporate violation”
is not just alert but a drop

drop http $EXTERNAL_NET any → $HOME_NET any

even an ET INFO. I assumed it will alert me only but
it shows as drop


Now I need to figure out which particular app is causing it.