Hello,

I am an Elastic Engineer in charge of a deployment with a focus on security. I have recently started looking delving into our network traffic in a little bit more depth. I have started with Suricata, and quickly realized that a lot of the alerts that are firing are related to the Nessus/ACAS scans that are being run in our environment.

Have any of you worked in a similar environment, and if so what did you do to either reduce the amount of alerts that were related to ACAS scanning the environment or is it just part of operating with both technologies in the environment?

Thanks,
Alex

A possible approach is to bypass nessus machines traffic based on their IPs.

Take a look here on how do this: 6.11. Bypass Keyword — Suricata 6.0.0 documentation

And some other options, if you don’t want to use bypass: 9.7. Ignoring Traffic — Suricata 6.0.0 documentation