Disable alerts based on rule ID and IP Address combination

There are some rules (as an example “ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File”) which I don’t want to disable, but would like to disable for a particular destination IP (for the same example, not alerting when the destination is a domain controller serving group policy scripts).

Are there any options or suggestions for achieving this within Suricata, or is it expected this sort of exception would be configured outside of Suricata? (I’m loading alert logs into elastic)

Handling it in elastic is probably best, just in case you get an alert for a host that you do want to see somewhere down the road, better to err on the side of caution in my experience.

You can also use thresholds if you really don’t want the alerts https://suricata.readthedocs.io/en/suricata-6.0.0/configuration/global-thresholds.html?highlight=threshold#suppress

Thanks both!

I’d started on a KQL query to filter out some of the common alerts, but it was getting messy fast.

Suppress config with comments to remind me what they’re for sounds like it’ll be neater for me in the long run.