I’m just starting to brainstorm the best way to go about this. I have a handful of suricata sensors, and one of them is fed traffic from a TLS offloaded source. So, inevitably, the rule ET POLICY HTTP traffic on port 443 (POST) is firing like crazy, as are ET Policy rules for passwords in cleartext.
My initial thought is to suppress those rules only on the sensor in question. Is this the best solution, or are there other options here? I am very much open to, and grateful for other suggestions.
For the sig that you mentioned above and ones similar we will have updated for today with some extra metadata. For your use case with the sensor being fed decrypted traffic you may want to look for signatures that have metadata “deployment SSLDecrypt” and “tls_state TLSDecrypt”.
This is something we are actively working on from the ET side to try and help customers more easily tune their rulesets effectively so we appreciate any feedback!
Thanks JT, glad to hear someone is considering this element already! I’ll take a look at the metadata in the newer rules, and submit feedback as necessary.