I have two questions:
1- Is the
host-os-policy section mandatory and must be filled?
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
2- What is the
Are these the ports Suricata-IDS should watch out for?
- The defaults are fine for many, or if you do not know what they are for, stick to the defaults.
See: 12.1. Suricata.yaml — Suricata 7.0.2-dev documentation
and https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/032/original/target_based_frag.pdf for more background information.
- These are used by rules. A rule may look something like
alert http any any -> any $HTTP_PORTS ... This is the basic starting point of tuning the rules to your environment. If you run HTTP servers on other ports, you should add them, likewise for other services.
Thank you so much for your reply.
1- I read it. If I like, I can enter the IP address of the operating system on which Suricata-IDS is installed in the appropriate place. For example, If Suricata-IDS is installed on a Linux host, then:
Am I right?
2- Are things like
SHELLCODE_PORTS and etc. the same as variable? I mean, I can rename
APACHE_PORTS, then write the rule like this:
alert http any any -> any $APACHE_PORTS ...
1- So, If the host that Suricata-IDS is supposed to protect uses a
Linux OS, then:
And if the host that Suricata-IDS is supposed to protect uses a
Windows OS, then:
Am I right?
How to break them out? Can you show me an example?
2- Sure. I just wanted to know if they are like variable or not?