Ignore certain traffic

neutron · October 2, 2022, 3:52pm

Hello guys, I’m pretty new to Suricata. I just set it up on a Ubuntu VM on my proxmox host, so I can play around with it in my lab. So far so good. Question: In my lab I’m using windows event forwarding, so all logs from my servers get forwarded to my wec.

Suricata detects this as the following:

10/02/2022-15:34:09.580219  [**] [1:2026850:3] ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.10.10.21:61267 -> 10.10.10.24:5985

10/02/2022-15:35:42.819464  [**] [1:2026850:3] ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.10.10.20:62211 -> 10.10.10.24:5985

This is the logs being pushed from .20(dc01)/.21(dc02) to my wec(.24). What’s the best way to filter this out? Tried to find something in the docs, but wasn’t sure how to fix this.

lex · October 3, 2022, 12:33pm

You can ignore that traffic with suppress rules.

https://suricata.readthedocs.io/en/suricata-6.0.3/performance/ignoring-traffic.html?highlight=suppress#suppress

Or with bypass keyword.

jmtaylor90 · October 3, 2022, 4:25pm

If you aren’t interested in that particular rule because it’s expected traffic in your environment, you can always just disable that rule using your rule management engine (pulledpork, suricata-update, etc.)

JT

Topic		Replies	Views
Ignoring traffic when suricata machine is router Help suricata	8	76	December 7, 2024
Suricata traffic to siem Help	7	79	August 21, 2024
Suricata ignore Rule by IP	3	2830	July 26, 2021
Ignoring noisy events (dns, http) Help	9	1239	March 8, 2024
How to tune out alerts for specific SID when observed between two specific IP addresses? Rules	4	790	October 26, 2023

Ignore certain traffic

Related topics