I have a rule that is causing me a lot of false positives. This rule is always triggered from the same source IP to the same destination IP.
I want to suppress this rule only from that specific combination of destination and source IP. If i use the “track by_src” or “track by_dst” it will suppress all the alerts from or to that IPs.
I only want to suppress the rule from IP x to IP y.
https://suricata.readthedocs.io/en/latest/configuration/global-thresholds.html#track
Like this? Tracking by both is supported.
EDIT:
Never mind. That was for threshold not suppress. Sounds like adding a flowbit and noalert to your existing rule and adding a new rule checking that flowbit and checking that the IP addresses are not the ones you want to suppress might be the easiest way.
I’d say there are a couple ways to “ignore” alerts between two IPs.
One way would be to modify the rule itself to negation the source and dest ip addresses in the source/dest host variables.
Another method is to configure a “Suppression” via the global threshold configuration. Though it doesn’t look like you can put both the src and dest ip into this logic.
9.7. Ignoring Traffic — Suricata 7.0.0-dev documentation
10.2. Global-Thresholds — Suricata 7.0.0-dev documentation
But my favorite way is to actually fix the logic in the rule to avoid triggering on the false positives content. While you didn’t provide the source of the signature, if it’s not an internal rule, consider reaching out to the author of the rule and reporting the False Positive and providing some details of the traffic.
Reports of these FPs are greatly appreciated and can ensure that others don’t experience the same issues.
If the rule is from Emerging Threats, consider using the feedback portal!
https://feedback.emergingthreats.net/