Forgive me if this isn’t a well-informed question. I’m new to using Suricata. The way I understand it is when you go to customize a ruleset in the IPS and then click Show on a specific set, it presents you a checkbox list of everything in the ruleset. If the rule is disabled in the ruleset by default, then it doesn’t have a checked box. But checking the box allows it to become enabled. Yes? So in a way, what it does is act as a toggle that overrides “#alert” versus “alert” in the ruleset. Right?
Along these lines, then, would it be a nice idea to add to the UI another checkbox or toggle that would toggle back and forth between alert/drop ? Just like how the ruleset shows which rules are enabled/disabled by default, might it be interesting to have another toggle that would do the same thing but for alert/drop? (This would be separate from the “monitor traffic only” option.)
My use case would be if I’m using a ruleset, say the ET community set, and I know I want one specific rule to drop, that this could be easily set in the webgui. Have I made a good argument for this?
Edit: Also, is there currently a way to configure this outside the webUI? The only thing I’m finding in Google is about the suricata-update python module.
Edit 2: Wait, am I dumb and misunderstand the box for “Action?”