Why are ET lists set to 'alert' and not 'block'?

After wresting with ET Telemetry Pro on OPNsense (and losing), I removed it and moved to ET Open. I turned a few on, like dshield, drop, and compromised.

What I noticed was that all of these come with rules that say ‘alert’, and not ‘block’. That surprised me. Why is that and how do I make Suricata to block them?

I am using Suricata on OPNsense 22

You can make Suricata block them by changing “alert” to “drop” in the rules.
It was set to alert by default since most of them do not require a block, for example “ET Info” alerts are informational and dose not indicate malicious activity.

So it is up to the user to decide what to block.

1 Like

How can one mass-change all emerging-tor.rules to drop?

Edit: Would this work if added to SID drops?

group:emerging-tor.rules

I can confirm that does NOT work. Looks like I would have to enter them all (100’s) manually?

Is there a way to change the default action of this emerging-tor.rules ruleset?

Thanks

umm, probably easier to find/replace (or use sed) to update the rules. If you use sed or python, you can filter the rules, then change the action. For python, see GitHub - jasonish/py-idstools: idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool). You can parse them, update the rules, and output a new rule file.