What is the best way to deal with Poor Reputation rules. It is expected IPs are going to continually probe any open ports. Right now I am adding them to a list like this:
suppress gen_id 1, sig_id 2403379, track by_dst, ip 192.168.90.10
suppress gen_id 1, sig_id 2403384, track by_dst, ip 192.168.90.10
suppress gen_id 1, sig_id 2403377, track by_dst, ip 192.168.90.10
I don’t want to disable the rule as it would be interesting if there are any connections out to Poor Reputation ip addresses.
(Disclaimer: I’m not a rule writer, but…)
Have you tried using a threshold config file where you’d add those?
reference: 12.2. Global-Thresholds — Suricata 7.0.3-dev documentation
Looking at my event log I am not sure a threshold alert will make any difference. I normally get a single connection from those IP addresses in the Poor Reputation group.
Right now it looks like I need to create a matching suppress rule for every ET poor reputation ip group rules.
What are you using to update the rules? I wonder if you can use modify.conf to modify the rules to look for outbound instead of inbound?
for Suricata-Update this might be something like this (untested)
re: "^alert ip (.*) any -> \$HOME_NET any (msg:\"ET 3CORESec" "alert ip \$HOME_NET any -> \\1 any (msg:\"ET 3CORESec"
Yes, something like that is an interesting solution. I will look at it in more detail and report back.
thank you for the direction.