Suricata rule - deployment metadata

Nigel_Jones · April 23, 2024, 11:01am

I’m trying to optimize rules that I use to mitigate any performance impact/false positives.

The deployment field in a rule seems to allow

Datacenter
Internal
Internet
Perimeter
SSLDecrypt
alert only

Since I’m a home user, considering using Suricata on LAN (with no external services incoming) I’m thinking of policies
Internal → block
SSLDecrypt → disable (I am not introducing a proxy)
alert_only → alert
Perimeter, INternet, DataCenter → disable (I am not a data center, and a firewall protects the perimeter… internet I’m less clear on)

I couldn’t find any good docs on this - does it make sense?
Is this metadata fairly reliable?

Nigel_Jones · April 23, 2024, 11:09am

I’ve noticed quite a lot of rules don’t set this metadata. Most rules also default to Alert, so allowing this to fall through, remain enabled, but with alert, seems to make sense?

Nigel_Jones · April 23, 2024, 11:14am

A huge majority of rules are ‘perimeter’. I’m trying to detect wierd internal traffic that could be signs of a worm, botnet or similar. So this would be outbound traffic from the wan typically - hence my choice of metadata above?

Andreas_Herz · April 25, 2024, 3:59pm

What ruleset are you using and what type of metadata are you referring to?
Different rulesets use different metadata additions.

Topic		Replies	Views
Fast.log entry/entries Help ips	3	914	February 17, 2021
Inconsistency in Alert Triggers Between Suricata 7.0.4 and 7.0.5 Help rules , suricata	7	79	September 29, 2024
TLS offloaded sensor, suppress certain rules for only that sensor? Rules	2	184	March 13, 2024
Unreal_ircd_3281_backdoor) Rules	10	803	February 21, 2021
Suppress alerts around known false positive! Rules	8	2670	August 16, 2023

Suricata rule - deployment metadata

Related topics