Disable applayer rule

abwhite · October 17, 2023, 9:21pm

I cannot seem to disable this rule APPLAYER_WRONG_DIRECTION_FIRST_DATA (is it a rule? it doesn’t have a sid)

{"timestamp":"2023-10-17T14:17:19.031133-0700","flow_id":421525167456938,"in_iface":"ixgbe2","event_type":"anomaly","vlan":[307],"src_ip":"169.233.244.121","src_port":51550,"dest_ip":"157.240.22.12","dest_port":443,"proto":"TCP","community_id":"1:Dl9FzTIqIArrAsbIrsYt3/SCYWw=","anomaly":{"type":"applayer","event":"APPLAYER_WRONG_DIRECTION_FIRST_DATA","layer":"proto_detect"}}
I’ve tried disabling via disable.conf using re to match on “APPLAYER_WRONG_DIRECTION_FIRST_DATA” but these events are still blowing up the eve.json file…

TIA!

Jeff_Lucovsky · October 18, 2023, 1:04pm

See the anomaly section in the suricata.yaml configuration file.

By default, applayer is enabled. Note that there are 3 anomaly “types” that are logged. If all are disabled, then just set anomaly.enabled to no.

       - anomaly:
            # Anomaly log records describe unexpected conditions such
            # as truncated packets, packets with invalid IP/UDP/TCP
            # length values, and other events that render the packet
            # invalid for further processing or describe unexpected
            # behavior on an established stream. Networks which
            # experience high occurrences of anomalies may experience
            # packet processing degradation.
            #
            # Anomalies are reported for the following:
            # 1. Decode: Values and conditions that are detected while
            # decoding individual packets. This includes invalid or
            # unexpected values for low-level protocol lengths as well
            # as stream related events (TCP 3-way handshake issues,
            # unexpected sequence number, etc).
            # 2. Stream: This includes stream related events (TCP
            # 3-way handshake issues, unexpected sequence number,
            # etc).
            # 3. Application layer: These denote application layer
            # specific conditions that are unexpected, invalid or are
            # unexpected given the application monitoring state.
            #
            # By default, anomaly logging is enabled. When anomaly
            # logging is enabled, applayer anomaly reporting is
            # also enabled.
            enabled: yes
            #
            # Choose one or more types of anomaly logging and whether to enable
            # logging of the packet header for packet anomalies.
            types:
              # decode: no
              # stream: no
              # applayer: yes

abwhite · October 18, 2023, 4:39pm

Excellent! Thanks so much @Jeff_Lucovsky–eps has drastically decreased now

Topic		Replies	Views
How to ignore FIN,ACK flag Rules rules	1	708	December 27, 2021
Unable to supress SURICATA STREAM alerts Rules rules , suricata	3	573	October 25, 2023
Suricata 7 drops my flows - reason: applayer error Help	6	651	October 24, 2024
Decode, stream, app-layer event rules Rules rules	5	1202	June 7, 2022
Help to disable http protocol in suricata 7.0.2 Help	1	257	November 16, 2023

Disable applayer rule

Related Topics