Suppress alerts around known false positive!

I’m using Suricata on an OPNSense machine at home and after reviewing the alerts realized that Synology NAS is hardcoded to make calls to QuickConnect.to domain for user convenience.

On my intrusion detection rules the .to TLD is blocked and hence the alert was generated. It was quiet insightful to even know that what my NAS is doing!

But these alerts are still clogging the UI in OPNSense, is there a way to enforce a policy that will either not log these alerts or just drop them from the UI?

You could suppress the rule for a specific IP, or threshold it so that you get fewer alerts for it

Examples:

suppress gen_id 1, sig_id 2802104, track by_src, ip 192.168.0.54

threshold gen_id 1, sig_id 2013504, type both, track by_src, count 1, seconds 600

The first (suppress) will not generate an alert for the rule 2802104 for IP 192.168.0.54 at all.

The second (threshold) will only generate an alert for rule 2013504 at most once per ten minutes per IP.

You would place these lines in your threshold.config. Not sure if OPNsense GUI has a straightforward way to do that or that you need to dive into the CLI.

More info on thresholding in general:

https://suricata.readthedocs.io/en/suricata-6.0.3/configuration/global-thresholds.html

2 Likes

Hi Victor,

Thanks for your response and seems like this is exactly what I need :grinning:

Let me dig deeper into OPNSense documentation to see if CLI offers more control than the UI.

This is my second week running Suricata and I’ve already learnt more about my home LAN in these two weeks than last four years put together :sunglasses:

Thanks!

Hi Victor,

I did find the threshold.conf file on OPNsense at /usr/local/etc/suricata.
This is working for me and I see lot less of entries causing noise in the alerts!

Thanks!

Hello
I installed suricata and false positive! I have
I put these settings in suricata.yml:
rule-suppression
enabled: yes
filename: /var/lib/suricata/rules/suppression.rules
And I added this to the rules: suppress gen_id 1, sig_id 2802104, track by_src, ip 192.168.1.20
But when I get suricata -T it gives me an error

Can anyone help me!!!

@darab please open a new topic

1 Like

i made a new topic for problem

Also tell how to implement and configure, step by step
I added the path of this rulE to the suricata.yyml file, but there was a problem with the contents of this rule, and when I type the command suricata -T…, it gives the error of the rule.