Ignoring noisy events (dns, http)

Hello everyone,

I am trying to reduce noise on my Splunk Enterprise Security, originating mainly from DNS (and http) events in Suricata.

Specifically, I have a huge number of DNS requests to sites like partnerweb.vmware.com, microsoft and mcafee which I would like to silent them.

I have tried both alert and pass rules along with bypass modifier:

alert dns any any -> any 53 (dns.query; content:".vmware.com"; bypass; sid:10000000;)
pass dns any any -> any 53 (dns.query; content:".vmware.com"; bypass; sid:10000000;)

Events keep generating though and I receive no errors while restarting suricata.

Any help would be appreciated.

Thank you in advance.

With kind regards,

Chris

You can use a conditional logging instead of a bypass rules:

config dns any any -> any any (msg:"Conditional logging - DNS wildcard dotprefix"; dns.query; dotprefix; content:".vmware.com"; nocase; endswith; config: logging disable, type tx, scope tx; sid:2;)

Bypass will not remove the query but will trigger detection not to be done on the flow.

1 Like

That was a hidden jem in the docs. Many thanks!

One more question:

Can I use a separate file (eg. conditional_formating.rules) to load the rules in Suricata-update?

I am running suricata-update (in log output I see <info> Loading local file conditional_formating.rules), but in the final suricata.rules file I cannot see my conditional formating rules. There is no sid number conflict and no error in suricata.log.

As a workaround, I manually appended the rules on the final suricata.rules and it works. But it would be more convenient to load them with suricata-update as part of the rule management process.

Thanks a lot for your time.

BR

Chris

Iā€™m not a big suricata-update user. Maybe @sbhardwaj or @ish know about this.