Doubt report by email/telegram

ElMag0 · April 24, 2024, 6:28am

Good morning
I have a suricata installed on a raspberry, the first question is do you think it will last for a small company? Raspberry pi4 4gb ram.

And the doubt why I write. To notify you somewhere, I have created a python script that runs every 5 minutes. Within that script, if the fast.log occupies more than 0kb, it sends the notification via Telegram.

The problem is that if you paint a “non-dangerous” line such as a Spotify connection, the automation will warn you.

I could filter with if which messages execute or do not execute the telegram call script but with almost 50,000 rules it is a bit crazy.

Do you have any idea how I can manage this?

ElMag0 · April 24, 2024, 6:39am

Could it be safe to filter only by “ET” rules?

Andreas_Herz · April 25, 2024, 3:51pm

You should do some testing phase and filter the noisy rules out and either threshold old suppress those rules. There will always be some post processing logic necessary if you want to filter for priority and such.

The raspi might be good enough if there is not much traffic seen.

ElMag0 · April 25, 2024, 10:40pm

Thanks for the info, I will do tests at home with 5-6 teams making requests to see how it behaves