Happy Friday everyone!
Hopefully you can help me because I am getting a little bit lost (which is normal as I am a beginner with Suricata).
As most of you, you might have some vulnerability scanners in your network generating a lot of false positives.
I tried to exclude them using the var section of suricata.yaml like this:
vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12, ![$SEC_SCANNERS]]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "![$HOME_NET, $SEC_SCANNERS]"
#EXTERNAL_NET: "any"
SEC_SCANNERS: "[10.10.28.0/24]"
for some reason the alerts are still passing through like:
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Where src_ip is a vulnerability scanner.
Hope you can provide me some guidance?