Which are the truly dangerous alerts/rules?

Help
1

Suricata version: 6.0.10
OS: Debian 12.5
Installed: from APT

So i have been running Suricata for a few weeks (with a handful of enabled free/open sources).
I have (of course) gotten tons and tons of false positives, and i have been disabling/modifying every day basically. Its getting less and less.

However, it would be nice to know which alerts/rules are the really dangerous ones.
Not just stuff like “someone resolved a .top TLD hostname”.

I mean, stuff that is almost certainly something bad.

There is plenty in “classtype:misc-attack” that are false positives (for me).
Same with the “signature_severity” metadata.

Is there some way to figure this out?

2

My understanding of this is that each deployment and environment will have different protection requirements, so I imagine there isn’t a unique answer to this question.

That said, from a non-threat hunter, non-rule writer perspective, some things that come to mind are rules that check for attempts to gain/ escalate user privileges; known protocols using unconventional ports or showing unconventional behavior; possible accesses from known malicious domains… And there’s probably lots more, but I’d imagine that thinking in terms of risk categories could help :thinking:

3

Yeah, thats kinda my question:)
What “risk categories” would those be? How do i know which of the 70k rules belong to such a category?

“Attempts” to gain privileges are by far mostly false positives. If you have a bunch of public IPs, then you get scanned all day long:)

I am more thinking of for instance

  • rules that alert on certificates that are used by known trojans
  • then i dont really know what else… haha:)
4

I think you’re doing it just the right way. Iteratively reducing the noise you get so your eyes and mind stay open for the remaining alerts, to which you can then dedicate your full attention.

IMHO no classification scheme or tagging in rules can beat actually understanding what a rule detects and the role of the detected action in an attack. In general, I would probably look for “categories” such as

  • specific C2 traffic from internal to external networks
  • certificates associated with known bad actors
  • traffic that uncovers vulnerable devices or software versions in your network
  • cleartext credentials being sent over the network
  • successful exploits confirmed by a rule finding unique patterns in the traffic
  • connections to clearly malicious domains (unless coming from a malware detonator or sandbox)

As far as attempted exploits go, unless the exploit produces a detectable reaction that can also be observed on the network, how do you know it was a false positive? :wink:

1 Like