Noisy Suricata Logs
-
We're running Suricata 4.0.12_2 on pfSense 2.4.3-RELEASE-p1. We've put the Suricata Alerts on the Dashboard, and we're getting a tremendous number of alerts that are not useful, such as for multicast and Discard protocol traffic from devices on a perimeter network. While we want Suricata to continue to manage such traffic as appropriate, we'd like to filter those messages out of not only the full log (and that filter is only temporary) but also from the Dashboard log. Is there any way to do that without suppressing or disabling the rule?
-
@eveningstarnm said in Noisy Suricata Logs:
tremendous number of alerts that are not useful,
No - you don't say??? Really a IPS/IDS that has a shitton of false positives... Who would of ever thunk it ;) hehehehe ROFL...
That people think they can turn on a IPS/IDS and not spend hours and or days even years tweaking it and maintaining it beyond naive to be honest.. You do understand there is a whole section of secops that deals with managing IDS/IPS right.. And that skillset makes really decent money as well...
While pfsense can make the tools available - and try and make it easier to work with via a nice gui.. They can not auto tweak the rules to your environment... There is no magic button - hide the noise ;)
Do you honestly think someone can say in a forum post - oh yeah you forgot to click the no noise button?
-
@johnpoz So, basically, you have no suggestions and can offer no help. That's good to know. I'll be able to safely ignore you from now on.
-
heheh - yeah go ahead.. I feel so bad about that ;) Not sure I will be able to go on.. ROFL
Not like there are not another 100 users a day asking the same moronic questions over and over again.. Looking for the magic do this for me button vs actually doing some research on what is required to run a valid IPS/IDS system. Not sure I will be able to sleep tonight with all the worry I will have over the noise in your logs..
Good luck - please feel free to ignore any future posts of mine..
I mean really your so lazy you can not even post some of this noise to ask what it means. But somehow we are magically suppose to say click here?? Sorry there is no magic checkbox to hide noise ;)
-
@eveningstarnm
https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint -
@bbcan177 Thank you! That's a great resource. I hope to find what I'm looking for right now in it (it's a long read), but I've already found a couple of things I wish I'd known before.
-
Have you made a pass list yet?
