Hello guys, I’m pretty new to Suricata. I just set it up on a Ubuntu VM on my proxmox host, so I can play around with it in my lab. So far so good. Question: In my lab I’m using windows event forwarding, so all logs from my servers get forwarded to my wec.
Suricata detects this as the following:
10/02/2022-15:34:09.580219 [**] [1:2026850:3] ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.10.10.21:61267 -> 10.10.10.24:5985
10/02/2022-15:35:42.819464 [**] [1:2026850:3] ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.10.10.20:62211 -> 10.10.10.24:5985
This is the logs being pushed from .20(dc01)/.21(dc02) to my wec(.24). What’s the best way to filter this out? Tried to find something in the docs, but wasn’t sure how to fix this.