There are a lot of false positives in certain rules of suricata, so I want to improve this.
I want to ignore only src: 10.0.0.53 → 10.0.15.51 in “GPL ATTACK_RESPONSE id check returned root” Signature.
First, threshold.config was used for testing.
“suppress gen_id 1, sig_id 2100498, track by_src, ip 10.0.0.53”
This was applied,
“suppress gen_id 1, sig_id 2100498, track by_src, ip 10.0.0.53, track by_dst, ip 10.0.15.51”
Is this even possible??
What should I do to handle exceptions by applying additional IP and Port… It is too difficult to manage and write them down in the Rule.