You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just a question, I've applied some suppress rules in the threshold file, but they don't seem to be applying. I've restarted the Suricata service to see if that would help but i haven't seen a change in the alerts I'm trying to suppress, Any tips would help.
Where is the file you've been making these changes to? I think that probably the way to do what you're trying to do is by including an extra config file here as described here.
User:
So I was adding the suppress rule on to one of our sensors, are you suggesting it can be applied on to the Malcolm server itself? On the HedgeHog sensor the file path to the file I'm making changes to is: /etc/suricarta/threshold.config. I figured because the parsing of the data is being done on the sensor, that's where i would have to apply the rule. The suricata documentation says to use this file to reduce the number of alerts for noisy rules. Example, suppress sig_id 2034704, track by_dst, ip <ip address>
Ah, sorry, you are correct, when using hedgehog it would be on the sensor. Let me double-check if that's the location we're actually running that from.
User:
I think i resolved my own issue after reading the documentation a little more. In the documentation it says to set the gen_id to 1 unless the rule has an id. i didn't set an gen_id but after setting it to gen_id 1 it seems to be working now (reference). Also, @mmguero, are there some rules sets you remove to reduce noise? Out of the box the rules are very noise especially on a production network. Like are there some rule sets that can just be removed?
Right now the only rule set that's enabled in Malcolm (besides some OT-specific ones) is the Emerging Threats Open ruleset that's built into Suricata. There are a few issues related to what you're talking about (idaholab#430, idaholab#477, idaholab#221) but nothing is in place yet. If you want finer-grained control doing what you're talking about by identifying the noisy rules and setting the threshold like you've mentioned above is probably the only way right now, or just put custom rules files you would like to use in the appropriate directory and set SURICATA_CUSTOM_RULES_ONLY to true in order to ignore the built-in rules and use only the custom ones you have provided
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
User:
@mmguero:
User:
@mmguero:
User:
@mmguero:
Beta Was this translation helpful? Give feedback.
All reactions