First check the rule is triggering correctly
Confirm its legitimate
Gather network data decoded
source IP: 192.168.1.10
Destination IP : 192.168.1.65
rule uuid: 2102251 (aka SID)
Rules file location
/opt/so/rules/nids/all.rules
Count rules:
wc -l all.rules
Find your rule:
grep 2102251 all.rules
You can fully disable a rule if it does not apply
sudo so-rule disabled add 2102251
grep 2102251 all.rules (should see # to show its commented out)
Using a regular expression to disable all rules related to STUN
sudo so-rule disabled add 're:STUN'
grep STUN all.rules
To do fine grain tuning with Source/Destination we need to edit the global.sls file
sudo su
cd /opt/so/saltstack/local/pillar
vi global.sls
The global.sls file is a yaml file so its spaces not tabs. If you have a standalone you can edit in one place but if you multiple sensors you will need to edit the file on each one.
Supress by source IP.
thresholding:
i sids:
2102251:
- suppress:
gen_id: 1
track: by_src:
ip: 10.4.8.1 (can use cidr here too)
Supress by threshold
thresholding:
sids:
2102251:
- threshold:
gen_id: 1
type: threshold
track: by_src:
count: 10
seconds: 3600
In this case if one source makes more than 10 alerts in 1 hour something is going on and i want to look into that
save the global.sls file
restart surricata
so-suricate-restart
ack the event in the alerts page in SOC
No comments:
Post a Comment