Suricata rule - deployment metadata

I’m trying to optimize rules that I use to mitigate any performance impact/false positives.

The deployment field in a rule seems to allow

  • Datacenter
  • Internal
  • Internet
  • Perimeter
  • SSLDecrypt
  • alert only

Since I’m a home user, considering using Suricata on LAN (with no external services incoming) I’m thinking of policies
Internal → block
SSLDecrypt → disable (I am not introducing a proxy)
alert_only → alert
Perimeter, INternet, DataCenter → disable (I am not a data center, and a firewall protects the perimeter… internet I’m less clear on)

I couldn’t find any good docs on this - does it make sense?
Is this metadata fairly reliable?

I’ve noticed quite a lot of rules don’t set this metadata. Most rules also default to Alert, so allowing this to fall through, remain enabled, but with alert, seems to make sense?

A huge majority of rules are ‘perimeter’. I’m trying to detect wierd internal traffic that could be signs of a worm, botnet or similar. So this would be outbound traffic from the wan typically - hence my choice of metadata above?

What ruleset are you using and what type of metadata are you referring to?
Different rulesets use different metadata additions.