Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Noisy Suricata Logs

    Scheduled Pinned Locked Moved IDS/IPS
    suricatalog
    7 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • EveningStarNME
      EveningStarNM
      last edited by

      We're running Suricata 4.0.12_2 on pfSense 2.4.3-RELEASE-p1. We've put the Suricata Alerts on the Dashboard, and we're getting a tremendous number of alerts that are not useful, such as for multicast and Discard protocol traffic from devices on a perimeter network. While we want Suricata to continue to manage such traffic as appropriate, we'd like to filter those messages out of not only the full log (and that filter is only temporary) but also from the Dashboard log. Is there any way to do that without suppressing or disabling the rule?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @eveningstarnm said in Noisy Suricata Logs:

        tremendous number of alerts that are not useful,

        No - you don't say??? Really a IPS/IDS that has a shitton of false positives... Who would of ever thunk it ;) hehehehe ROFL...

        That people think they can turn on a IPS/IDS and not spend hours and or days even years tweaking it and maintaining it beyond naive to be honest.. You do understand there is a whole section of secops that deals with managing IDS/IPS right.. And that skillset makes really decent money as well...

        While pfsense can make the tools available - and try and make it easier to work with via a nice gui.. They can not auto tweak the rules to your environment... There is no magic button - hide the noise ;)

        Do you honestly think someone can say in a forum post - oh yeah you forgot to click the no noise button?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        EveningStarNME 1 Reply Last reply Reply Quote 0
        • EveningStarNME
          EveningStarNM @johnpoz
          last edited by

          @johnpoz So, basically, you have no suggestions and can offer no help. That's good to know. I'll be able to safely ignore you from now on.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            heheh - yeah go ahead.. I feel so bad about that ;) Not sure I will be able to go on.. ROFL

            Not like there are not another 100 users a day asking the same moronic questions over and over again.. Looking for the magic do this for me button vs actually doing some research on what is required to run a valid IPS/IDS system. Not sure I will be able to sleep tonight with all the worry I will have over the noise in your logs..

            Good luck - please feel free to ignore any future posts of mine..

            I mean really your so lazy you can not even post some of this noise to ask what it means. But somehow we are magically suppose to say click here?? Sorry there is no magic checkbox to hide noise ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              @eveningstarnm
              https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              EveningStarNME 1 Reply Last reply Reply Quote 1
              • EveningStarNME
                EveningStarNM @BBcan177
                last edited by

                @bbcan177 Thank you! That's a great resource. I hope to find what I'm looking for right now in it (it's a long read), but I've already found a couple of things I wish I'd known before.

                1 Reply Last reply Reply Quote 0
                • N
                  necs-gungaro
                  last edited by

                  Have you made a pass list yet?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.