IPS: Who chooses the default enabled rules in a ruleset?

General questions.
Post Reply
dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

IPS: Who chooses the default enabled rules in a ruleset?

Post by dnl » May 19th, 2019, 5:34 am

This is a general question and not specific to the (great!) change to Suricata in the latest release.
  • Who selects which rules are enabled by default in a ruleset?
    Is this from the provider of the ruleset (Emerging Threats and Talos) or IPFire?
  • Do the default rules change over time?
    So if I enabled the ET emerging-worm ruleset and new worm-defence rules are added, would they automatically be enabled?
Thanks!
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: IPS: Who chooses the default enabled rules in a ruleset?

Post by bloater99 » May 21st, 2019, 6:54 pm

I believe that the ruleset provider selects the rules that they consider safe and least likely to trigger false positives, but I'm not a dev here so I'm only guessing.

I would hope that as ruleset are updated, that those get passed on to us during automatic updates.

A related question: if we modify the rulesets (uncheck a default enabled rule, or check a default disabled rule), and the rulesets get updated automatically, will our changes carry over after the update?
Image

Image

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: IPS: Who chooses the default enabled rules in a ruleset?

Post by dnl » May 27th, 2019, 4:11 am

bloater99 wrote:
May 21st, 2019, 6:54 pm
I believe that the ruleset provider selects the rules that they consider safe and least likely to trigger false positives, but I'm not a dev here so I'm only guessing.

I would hope that as ruleset are updated, that those get passed on to us during automatic updates.
Thanks. Yes, I suspect you are correct but was hoping someone knew the answer for certain.
bloater99 wrote:
May 21st, 2019, 6:54 pm
A related question: if we modify the rulesets (uncheck a default enabled rule, or check a default disabled rule), and the rulesets get updated automatically, will our changes carry over after the update?
This was not the case with the old Snort implementation in IPFire, however I read that this was one (major) improvement implemented with Suricata.
For example, I'm currently using a ruleset which finds port scans. I have disabled all the SQL/database rules which were enabled by default as I don't host a database (and wouldn't open one to other networks anyway!). The rules have updated for a number of days and these rules have remained disabled.

I still need to confirm that if the ruleset provider enables a new rule that it is enabled on my system. I suspect it will be.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

sucram
Posts: 28
Joined: December 7th, 2014, 11:02 am

Re: IPS: Who chooses the default enabled rules in a ruleset?

Post by sucram » June 25th, 2019, 5:47 am

Hello,

I am also interested in the correct answers to those questions! ... :)

Best,

M.

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: IPS: Who chooses the default enabled rules in a ruleset?

Post by Arne.F » June 26th, 2019, 11:00 am

Who selects which rules are enabled by default in a ruleset?
Is this from the provider of the ruleset (Emerging Threats and Talos) or IPFire?
It comes from the provider. The defaults are already enabled in the rule files and the others are included as comments.

IPFire (or better oinkmaster) store the user changes compared to the provider selection and redo it at a rule update.
Do the default rules change over time?
So if I enabled the ET emerging-worm ruleset and new worm-defence rules are added, would they automatically be enabled?
New rules where added with the default from the provider.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

sucram
Posts: 28
Joined: December 7th, 2014, 11:02 am

Re: IPS: Who chooses the default enabled rules in a ruleset?

Post by sucram » June 26th, 2019, 2:44 pm

Thanks for the clarification! :)
M.

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: IPS: Who chooses the default enabled rules in a ruleset?

Post by dnl » June 30th, 2019, 10:01 am

Arne.F wrote:
June 26th, 2019, 11:00 am
It comes from the provider. The defaults are already enabled in the rule files and the others are included as comments.
Thanks Arne!

I've been able to confirm that. I checked the ruleset provider's rule changes. They had added a new rule to a category in which I had previously disabled a rule. The new rule from the provider was enabled correctly by default.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

Post Reply