I am running suricata inline mode and I am changing alert → drop all the rules related to malicious traffics and I am making those changes in suricata.rule file. Everytime I run the suricata-update rules changes to alert mode. Appreciate the assistance how to make those changes permeant. I tried .modify but its not working
You will want to create a drop.conf file. In this file you can list the SIDs, one per line that you wanted converted to drop. Suricata-Update will then convert them.
Typically this file is kept at /etc/suricata/drop.conf, but it will really depend on how you installed Suricata. If its not being picked up, you can provided it on the command line:
suricata-update --drop-conf /etc/suricata/drop.conf
It works. Thank you very much for the swift response. I would like to know is there a way to drop rule base on words. following are I am trying to drop.
msg:"ET CINS Active Threat Intelligence Poor Reputation IP
msg:"ET SCAN Suspicious inbound
msg:"ET TA_ABUSED
msg:"ET EXPLOIT Realtek
msg:"ET CINS Active Threat Intelligence
msg:"ET CNC Feodo Tracker
msg:"ET Threatview.io
msg:"ET COMPROMISED Known Compromised
signature_severity Major
Thank you
Found a solution
by using following I am able to block
metadata: tag “put the tag name”