Surpress False Positives

Isac · December 29, 2021, 2:38pm

Hello all,

I’m pretty new to IDS and not a programmer (only network engineer). I like to eliminate false positives. I like to remove the alerts from the source and to the destination with a port number? For example, sql access from this host to sql server on port 1433 is safe. Or endpoint protection is reporting antivirus scan results to the server on port 7801 and this should not be detected as Log4j attempt. Is there any fast way to do that since I have a lot of false positives from INTERNAL hosts to INTERNAL hosts(please see below? If I can do it only with suppress, please give example source, destination and the PORT number.

Thank you
Isac

lex · December 30, 2021, 1:54pm

There’s a suppress option to avoid alert for a certain host.

suppress gen_id 0, sig_id 0, track by_src, ip 1.2.3.4

Documentation:
https://suricata.readthedocs.io/en/suricata-6.0.3/performance/ignoring-traffic.html?highlight=ignore#suppress

Isac · January 5, 2022, 8:47am

Thank you @lex
I tried that but I have SALT and it removes them from the threshold.config after the restart.
Do you have example for salt? saltstack/local/pillar/minions/MACHINEID_standalone.sls
In my case most of the alerts are coming from the same host or same subnet. I like to disable/suppress them only for them and rules should stay there. What is the best way to do that?

Thanks again.
Isac

Hita · January 6, 2022, 4:05am

You can also try to use pass rule to ignore all the alert between trusted sources and dest.

# For example ignore alerts from host ip 1.2.3.4 to sql server on port 1433
pass ip 1.2.3.4 any <> [sqlserver ip] 1433 (msg:"pass all traffic from/to 1.2.3.4 with sql server port 1433"; sid:1000000;)

Ref: 9.7. Ignoring Traffic — Suricata 6.0.4 documentation

AFAIK, suricata salt formula won’t manage the local rules files for you so you may need to add the rules by yourself via another states.

Isac · January 6, 2022, 1:40pm

Thank you @Hita
I managed to solve it but your suggestion is very interesting. Should I add it to the thresholding section? I’m using the below format. Thanks again.

thresholding:
  sids:
    8675309:
      - threshold:
          gen_id: 1
          type: threshold
          track: by_src
          count: 10
          seconds: 10
      - threshold:
          gen_id: 1
          type: limit
          track: by_dst
          count: 100
          seconds: 30
      - rate_filter:
          gen_id: 1
          track: by_rule
          count: 50
          seconds: 30
          new_action: alert
          timeout: 30
      - suppress:
          gen_id: 1
          track: by_either
          ip: 10.10.3.7

sgroenev · January 10, 2022, 11:58am

Any reason why not use a bpf filter in this case?

Topic		Replies	Views
Suppress alerts around known false positive! Rules	8	2606	August 16, 2023
Disable alerts based on rule ID and IP Address combination Help	3	1854	December 9, 2020
Rule threshold configuration Rules rules , suricata	2	1489	May 12, 2022
How to tune out alerts for specific SID when observed between two specific IP addresses? Rules	4	777	October 26, 2023
Suppress rule suricata Help rules , suricata	1	446	August 9, 2023

Surpress False Positives

Related topics