Hi! I’m running Suricata 6.0.10 in IDS mode. I’m trying to figure out a way to tune our noisy alerts for a particular SID, but ONLY between two particular IP addresses. Is this possible? An example would be much appreciated.
There are several options, you can find them at 11.7. Ignoring Traffic — Suricata 7.0.2-dev documentation so yes this is possible.
Hi Andreas,
Thank you for the fast reply!
From what I’ve understood, both BPF filter and ‘pass’ rule could be used to ignore traffic based on IP, protocol, ports etc., but at least BPF works BEFORE the suricata detection engine compares the traffic to existing signatures, so I don’t believe that would work. ‘Pass’ rule seems to apply for in-line IPS setup, but I am using suricata only for mirrored/span port traffic as IDS.
To clarify, I am seeing traffic for a certain SID between multiple IP pairs, and for that SID I want to hide alerts BETWEEN certain IP pairs, but show everything else. My initial thought was that the ‘suppress’ rules would be applicable here, but I can’t make the rules granular enough.
To give an example: I see Windows update P2P alerts (SID 2027766) between the following hosts…
172.16.1.5 → 172.16.1.10
172.16.1.5 → 172.16.1.20
172.16.1.5 → 172.16.1.30
172.16.1.6 → 172.16.1.10
172.16.1.6 → 172.16.1.20
172.16.1.6 → 172.16.1.30
… and I don’t want to see alerts for this activity between the following IP pairs:
172.16.1.5 → 172.16.1.10
172.16.1.6 → 172.16.1.20
I can’t suppress by_src (.5, .6) or by_dst (.10, .20), as I would miss alerts for some of the other pairs. I would need something like “track by_pair”, but that doesn’t seem to exist.
Would you have examples or link to more documentation about suppress available? It’s also possible that I am misunderstanding the ‘pass’ rule functionality, so any clarification would be welcome.
Thank you!
Hi Andreas,
Following up on this, were there other options for this type of approach? Just to clarify, the options on the earlier link did not include solution for tuning alerts for specific SID and between two specific IP addresses.
Links and examples would be highly appreciated, thank you!
No they would work as well in IDS mode, especially in your scenario it might be the best fit.
An alternative with tracking both parts could be setting thresholds 12.2. Global-Thresholds — Suricata 8.0.0-dev documentation