Suricata option

hi
it is possible a add buton for selected all rules in selected page rule?
and add buton for save and export rule?
ty

There are not too many details provided so this is a difficult question to answer.

Generally it is a very bad idea to select and enable every rule. That is a very quick way to bring your firewall down or make the firewall VERY slow.

1 Like

I know it slowed down but offering the possibility of cutting everything would be very practical all like save the rules and be able to import and export the rules
ty

Standard IPFire Backups capture your local Suricata IPS customizations.

Here is a manual method I find handy;
Using the EmergingThreats Community Ruleset there are two files that hold the local customizations. From an ssh terminal session, the two files can be copied off the system for documentation or to use on other systems (ideally at the same version level).

The file emerging-used-rulesfiles contains the enabled Rulesets (checked in the IPS customize Ruleset page of the GUI).
The file emerging-modifications contains a list of Rule numbers which have been modified (enabled or disabled from default) within the Rulesets <Show> pages.

[root@ipfire ~]# ls -al /var/ipfire/suricata/
total 52
drwxr-xr-x 2 nobody nobody 4096 Nov 24 01:14 .
drwxr-xr-x 48 root root 4096 Mar 12 10:49 …
-rw-r–r-- 1 nobody nobody 153 Mar 8 16:13 emerging-modifications
-rw-r–r-- 1 nobody nobody 1450 Mar 8 16:13 emerging-used-rulesfiles

[root@ipfire ~]# cat /var/ipfire/suricata/emerging-used-rulesfiles
emerging-telnet.rules=enabled
emerging-web_client.rules=enabled
emerging-dns.rules=enabled
emerging-current_events.rules=enabled

[root@ipfire ~]# cat /var/ipfire/suricata/emerging-modifications | sort
2000xyz=enabled
2013xyz=disabled
2048xyz=disabled

The Rulesets and Rules within them are dynamic and changes from version updates (like new or deprecated Rules) are not captured in the two local customizations files.

2 Likes

hi
Thank you. for manual method