Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inline Suricata Setup on WAN

    IDS/IPS
    2
    3
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      patrick0525
      last edited by

      My iinline mode Suricata posted an alert

      –----------------------------------------------

      03/11/2017
      22:44:20 1 TCP A Network Trojan was Detected 192.168.1.XX
        62206 172.82.165.74
        80 1:2003492
        ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
      03/11/2017
      22:44:18 1 TCP A Network Trojan was Detected 192.168.1.XX
        6935 104.207.143.23
        80 1:2003492
        ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

      192.168.1.XX is the DHCP lease IP address of my pFsense LAN

      Is this a REAL malicious malware?
      Do I set my Pass List to None for inline? (Services/Suricata/Edit Interface Settings - WAN)

      Does Pass List set None permanently keep the block rule in place?  Right?

      How do I unblock false positive alerts and allow them to pass through?

      In (Services/Suricata/Global Settings) How does Remove Blocked Hosts Interval work set at 1 hour ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by 

        22:44:18    1    TCP    A Network Trojan was Detected    192.168.1.XX
      6935    104.207.143.23
      80    1:2003492
      ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

        The signature ID for that rule is "2003492"

        Right under that number you should see a little red "X" that allows you to disable that rule and remove it from the current ruleset. You can click this on any rule that is generating a False Positive for you.

        It is likely that you will initially have quite a few rules generating FP's on your network when you first implement suricata (unless you were very conservative in which rules you turned on).

        It is probably worth your time to search through the forums and read through some posts of what other experienced users have enabled & disabled in their rulesets. There are also posts that will show you how to bulk disable rules as clicking through rules to disable them can be very time consuming.

        Reading through this post may be worth your time:

        https://forum.pfsense.org/index.php?topic=78062.msg428124#msg428124

        1 Reply Last reply Reply Quote 0
        • P
          patrick0525
          last edited by

          Thank you

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.