I am trying to get a comprehensive list of every destination IP my network connects to using Suricata rules, but right now I am getting WAY too many logs. When I view the logs created by my Suricata alert rules it shows many duplicate logs with the same timestamp, source ip, and destination ip (sometimes as many as 15 duplicates in a row). I really need to reduce the total number of logs being created.
I have a set of Suricata rules set up and want to generate one alert per connection (i.e. eliminate my duplicate logs). How can I change my Suricata rules to only create an alert ONE time per connection? Please let me know if this is possible to accomplish using flowints or otherwise. Here are my current rules:
alert ip 10.0.0.0/8 any -> any 53 (msg:"DNS LOOKUP logged"; flow:to_server, established; sid: 1000001 ; rev:1; metadata:updated_at 2022_05_20; )
alert tls 10.0.0.0/8 any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000002 ; rev:1; metadata:updated_at 2022_05_20; )
alert http 10.0.0.0/8 any -> any any ( msg:"INITIAL http egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000003 ; rev:1; metadata:updated_at 2022_05_20; )
Have you look at the flow event type? Its enabled by default and will give you one record per flow and also provide the protocol information. However, you get these records when the flow is complete/timed out, not as the flow is created.
I’d look into re-enabling if you can as it is enabled in the default configuration file. It seems it would give you what you need, perhaps more efficiently than using rules. However, the flowint keyword might help you out: 6.10. Flow Keywords — Suricata 6.0.10 documentation
Thank you for your responses Jason! I am using AWS Network Firewall so as far as I know I don’t have access to a configuration file, just Suricata rules. I have been looking into using flowint to fix my issue but haven’t been able to figure out how to apply it to my use case. Any chance you could show me how I might re-write my rules?
This looks very promising, thank you! Just to make sure I understand: the flowbits:isnotset,logged; part will generate an alert because logged is not set. But in the same line set,logged; will set logged. Once logged is set, subsequent events in the same connection will not generate any more alerts. Am I understanding that correctly?
Also, does the rule reset after each connection? So for example if I had 2 egress connections to google.com I would still get 1 alert for each connection, correct?
Awesome. I have played around with flowbits some more today and I am wondering if the following solution would also work:
Since I am going to be whitelisting domains in the future anyways, what if I started writing pass rules now to cut down the number of logs I am getting? If I use flowbits:set, suppressalert; in my pass rules for a domain (say “google.com”) and flowbits: isnotset, suppressalert; in my alert rule, then I should never get an alert from a TLS connection to google.com, correct?
pass tls any any -> any any (tls.sni; content:"google.com"; msg:"pass google.com"; flowbits:set, suppressalert; ...)
alert tls 10.0.0.0/8 any -> any any ( msg:"alert for TLS outgoing traffic"; flowbits: isnotset, suppressalert; ...)
I am hoping this gives me alerts for every outgoing TLS connection EXCEPT for google.com