I cannot seem to disable this rule APPLAYER_WRONG_DIRECTION_FIRST_DATA (is it a rule? it doesn’t have a sid)
I’ve tried disabling via disable.conf using re to match on “APPLAYER_WRONG_DIRECTION_FIRST_DATA” but these events are still blowing up the eve.json file…
anomaly section in the
suricata.yaml configuration file.
applayer is enabled. Note that there are 3 anomaly “types” that are logged. If all are disabled, then just set
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
# length values, and other events that render the packet
# invalid for further processing or describe unexpected
# behavior on an established stream. Networks which
# experience high occurrences of anomalies may experience
# packet processing degradation.
# Anomalies are reported for the following:
# 1. Decode: Values and conditions that are detected while
# decoding individual packets. This includes invalid or
# unexpected values for low-level protocol lengths as well
# as stream related events (TCP 3-way handshake issues,
# unexpected sequence number, etc).
# 2. Stream: This includes stream related events (TCP
# 3-way handshake issues, unexpected sequence number,
# 3. Application layer: These denote application layer
# specific conditions that are unexpected, invalid or are
# unexpected given the application monitoring state.
# By default, anomaly logging is enabled. When anomaly
# logging is enabled, applayer anomaly reporting is
# also enabled.
# Choose one or more types of anomaly logging and whether to enable
# logging of the packet header for packet anomalies.
# decode: no
# stream: no
# applayer: yes
Excellent! Thanks so much @Jeff_Lucovsky–eps has drastically decreased now