I cannot seem to disable this rule APPLAYER_WRONG_DIRECTION_FIRST_DATA (is it a rule? it doesn’t have a sid)
{"timestamp":"2023-10-17T14:17:19.031133-0700","flow_id":421525167456938,"in_iface":"ixgbe2","event_type":"anomaly","vlan":[307],"src_ip":"169.233.244.121","src_port":51550,"dest_ip":"157.240.22.12","dest_port":443,"proto":"TCP","community_id":"1:Dl9FzTIqIArrAsbIrsYt3/SCYWw=","anomaly":{"type":"applayer","event":"APPLAYER_WRONG_DIRECTION_FIRST_DATA","layer":"proto_detect"}}
I’ve tried disabling via disable.conf using re to match on “APPLAYER_WRONG_DIRECTION_FIRST_DATA” but these events are still blowing up the eve.json file…
See the anomaly section in the suricata.yaml configuration file.
By default, applayer is enabled. Note that there are 3 anomaly “types” that are logged. If all are disabled, then just set anomaly.enabled to no.
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
# length values, and other events that render the packet
# invalid for further processing or describe unexpected
# behavior on an established stream. Networks which
# experience high occurrences of anomalies may experience
# packet processing degradation.
#
# Anomalies are reported for the following:
# 1. Decode: Values and conditions that are detected while
# decoding individual packets. This includes invalid or
# unexpected values for low-level protocol lengths as well
# as stream related events (TCP 3-way handshake issues,
# unexpected sequence number, etc).
# 2. Stream: This includes stream related events (TCP
# 3-way handshake issues, unexpected sequence number,
# etc).
# 3. Application layer: These denote application layer
# specific conditions that are unexpected, invalid or are
# unexpected given the application monitoring state.
#
# By default, anomaly logging is enabled. When anomaly
# logging is enabled, applayer anomaly reporting is
# also enabled.
enabled: yes
#
# Choose one or more types of anomaly logging and whether to enable
# logging of the packet header for packet anomalies.
types:
# decode: no
# stream: no
# applayer: yes