There are a lot of false positives in certain rules of suricata, so I want to improve this.
I want to ignore only src: 10.0.0.53 → 10.0.15.51 in “GPL ATTACK_RESPONSE id check returned root” Signature.
First, threshold.config was used for testing.
“suppress gen_id 1, sig_id 2100498, track by_src, ip 10.0.0.53”
This was applied,
“suppress gen_id 1, sig_id 2100498, track by_src, ip 10.0.0.53, track by_dst, ip 10.0.15.51”
Is this even possible??
What should I do to handle exceptions by applying additional IP and Port… It is too difficult to manage and write them down in the Rule.
It seems that Bypass Keyword can perfectly handle this exception. Have you tried it?
alert http any any -> any any (content:"suricata-ids.org"; \
http_host; bypass; sid:10001; rev:1;)
If you want to ignore traffic from one IP to another, or with specific ports, things get more complicated.
Using pass rules or the bypass keyword might cast a too wide net as it would ignore all traffic matching the rule, not just stop alerts from one rule to or from specific hosts/ports.
You could have a look at the suricata-update modify.conf and use a regex to change the source and destination + port to ignore the IPs and ports you don’t want to see.
This can be a never ending struggle with FP prone rules, at some point I would just disable the rules causing most trouble.
Is it src → dst to create a new rule with bypass keyword for a specific rule?