Suricata rule - deployment metadata

Nigel_Jones · April 23, 2024, 11:01am

I’m trying to optimize rules that I use to mitigate any performance impact/false positives.

The deployment field in a rule seems to allow

Datacenter
Internal
Internet
Perimeter
SSLDecrypt
alert only

Since I’m a home user, considering using Suricata on LAN (with no external services incoming) I’m thinking of policies
Internal → block
SSLDecrypt → disable (I am not introducing a proxy)
alert_only → alert
Perimeter, INternet, DataCenter → disable (I am not a data center, and a firewall protects the perimeter… internet I’m less clear on)

I couldn’t find any good docs on this - does it make sense?
Is this metadata fairly reliable?

Nigel_Jones · April 23, 2024, 11:09am

I’ve noticed quite a lot of rules don’t set this metadata. Most rules also default to Alert, so allowing this to fall through, remain enabled, but with alert, seems to make sense?

Nigel_Jones · April 23, 2024, 11:14am

A huge majority of rules are ‘perimeter’. I’m trying to detect wierd internal traffic that could be signs of a worm, botnet or similar. So this would be outbound traffic from the wan typically - hence my choice of metadata above?

Andreas_Herz · April 25, 2024, 3:59pm

What ruleset are you using and what type of metadata are you referring to?
Different rulesets use different metadata additions.

Topic		Replies	Views
Fast.log entry/entries Help ips	3	788	February 17, 2021
TLS offloaded sensor, suppress certain rules for only that sensor? Rules	2	99	March 13, 2024
How can I modify a suricata rule for complete URL not just the domain name Rules community , rules , suricata	1	1312	July 25, 2022
Outbound: Port Scanning & Brute Force detection Help	5	3504	March 22, 2022
Testing ssh related rules Rules rules	1	79	April 4, 2024

Suricata rule - deployment metadata

Related Topics