Suppress alerts around known false positive!

I’m using Suricata on an OPNSense machine at home and after reviewing the alerts realized that Synology NAS is hardcoded to make calls to QuickConnect.to domain for user convenience.

On my intrusion detection rules the .to TLD is blocked and hence the alert was generated. It was quiet insightful to even know that what my NAS is doing!

But these alerts are still clogging the UI in OPNSense, is there a way to enforce a policy that will either not log these alerts or just drop them from the UI?

You could suppress the rule for a specific IP, or threshold it so that you get fewer alerts for it

Examples:

suppress gen_id 1, sig_id 2802104, track by_src, ip 192.168.0.54

threshold gen_id 1, sig_id 2013504, type both, track by_src, count 1, seconds 600

The first (suppress) will not generate an alert for the rule 2802104 for IP 192.168.0.54 at all.

The second (threshold) will only generate an alert for rule 2013504 at most once per ten minutes per IP.

You would place these lines in your threshold.config. Not sure if OPNsense GUI has a straightforward way to do that or that you need to dive into the CLI.

More info on thresholding in general:

https://suricata.readthedocs.io/en/suricata-6.0.3/configuration/global-thresholds.html

2 Likes

Hi Victor,

Thanks for your response and seems like this is exactly what I need :grinning:

Let me dig deeper into OPNSense documentation to see if CLI offers more control than the UI.

This is my second week running Suricata and I’ve already learnt more about my home LAN in these two weeks than last four years put together :sunglasses:

Thanks!